QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$50 000 USD
JANUARY 2023
GLOBAL
ZUNAMI PROTOCOL
DESCRIPTION OF EVENTS
Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.
The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.
The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.
Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.
The attack on Zunami Protocol involved a sandwich-style MEV exploit during the swap of 66,888 DAI to USDC on a decentralized exchange. The attacker observed the transaction in the mempool and strategically placed two trades — one before (front-running) and one after (back-running) — to manipulate the exchange rate in their favor. By temporarily distorting the token price, the attacker ensured Zunami’s transaction executed at an unfavorable rate, then reversed the price change to capture the profit.
As a result, Zunami received only 17,230 USDC instead of a fair market value, incurring a loss of approximately $49,658 due to the slippage. This indicates the attacker effectively exploited either low liquidity or poor pricing resilience in the DAI/USDC trading pair, most likely through SushiSwap or a similar AMM. The attack highlights how vulnerable large, unprotected swaps are to MEV strategies when executed publicly and without slippage limits.
The impact didn’t end with the stolen funds. The distorted swap rate temporarily devalued Zunami’s ZLP tokens in the newly launched XAI + FRAXBP pool, reducing their price to $0.8213, while the ZLP price in the MIM pool remained at $1.1252. This price discrepancy introduced an arbitrage vector that could later be exploited.
According to Zunami Protocol, "In total, the attackers managed to steal approximately $49,658." Rekt News later rounded this down to $49k in their reporting.
This situation was initially not publicly noted by the Zunami Protocol team.
The Zunami Protocol team would later report this situation as follows:
"On January 26, while transferring funds to the new XAI + FRAXBP pool, we were subjected to a MEV attack. During the exchange of 66,888 DAI, we received only 17,230 USDC due to a sandwich attack on a transaction in the mempool. In total, the attackers managed to steal approximately $49,658."
This resulted in a situation where the price of ZLP in the XAI liquidity pool decreased to $0.8213, while the price of ZLP in the MIM liquidity pool remained at $1.1252.
The team reported to be preparing a compensation plan for the attack in a Medium article which they published entitled "The Zunami Protocol has come under two attacks" on February 5th, 2023.
Specific details of the sandwich attack are not known.
Zunami Protocol continues to operate, and would suffer future exploits.
Rekt - Zunami Protocol - Rekt II (Jun 13)
The Zunami Protocol has come under two attacks - Zunami Protocol Medium (Jun 13)
Sandwich Attack Transaction - EtherScan (Jun 13)
Silo Finance - "Oh? What's that? Could it be a 130k XAI-FRAXBP deposit already?" - Twitter/X (Jun 13)
Compensation Plan - Zunami Protocol Medium (Jun 13)
Rekt HQ - "$500k vanished from @ZunamiProtocol in a May admin key exploit. Months of stagnant development & perfect timing may have paved the way. Team offered weak excuses, dismissed concerns, left users empty-handed. When emergency keys open doors, who's in control? Story in comments." - Twitter/X (Jun 13)
Zunami Protocol Homepage (Jun 11)
