Zunami Protocol Liquidity Pool Valuation Manipulation Exploit - Revision history

Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zunamiprotocolliquiditypoolvaluationmanipulationexploit.php}} {{Unattributed Sources}} Zunami Protocol Logo/Homepage
2025-06-16T22:41:17Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zunamiprotocolliquiditypoolvaluationmanipulationexploit.php}} {{Unattributed Sources}} thumb|Zunami Protocol Logo/Homepage<ref name="zunamirekt2-20210" /><ref name="zunamirekt1-20230" /><ref name="zunamiprotocoltweet1-20231" /><ref name="peckshieldtweet-20232" /><ref name="zunamiprotocoltweet2-20233" /><ref name="etherscanzeth-20234" /><ref name="etherscanuzd..."

New page
{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zunamiprotocolliquiditypoolvaluationmanipulationexploit.php}}
{{Unattributed Sources}}

[[File:Zunamiprotocol.jpg|thumb|Zunami Protocol Logo/Homepage]]<ref name="zunamirekt2-20210" /><ref name="zunamirekt1-20230" /><ref name="zunamiprotocoltweet1-20231" /><ref name="peckshieldtweet-20232" /><ref name="zunamiprotocoltweet2-20233" /><ref name="etherscanzeth-20234" /><ref name="etherscanuzd-20235" /><ref name="blocksecteamtweet-20236" /><ref name="collateralrefund-20237" /><ref name="zunamiclaim-20238" /><ref name="rekthqtweet-20239" /><ref name="rekthqtweet-20215" /><ref name="zunamihomepage-20193" />

== About Zunami Protocol ==
Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.

The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.

The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.

Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.

== The Reality ==
Unfortunately, the Zunami Protocol smart contract contained a vulnerability where the calculation of LP token value relied on manipulable inputs—specifically, inflated reward token prices within the totalHoldings function of certain strategies like MIMCurveStakeDao. This flaw could allow an attacker to use flash loans and strategic token donations to artificially boost the prices of tokens such as $SDT and $CRV, which were then used to overstate the protocol’s asset value.

== What Happened ==
Zunami Protocol suffered a major exploit targeting its zStables Curve pools, resulting in the theft of over $2 million.
{| class="wikitable"
|+Key Event Timeline - Zunami Protocol Liquidity Pool Valuation Manipulation Exploit
!Date
!Event
!Description
|-
|August 13th, 2023 4:26:35 PM MDT
|Attack Transaction On zETH
|
|-
|August 13th, 2023 4:34:47 PM MDT
|Attack Transaction On UZD
|
|-
|August 13th, 2023 4:47:00 PM MDT
|PeckShield Notification Tweet
|PeckShield issued a warning to Zunami Protocol via Twitter, alerting them to an ongoing attack and advising users to take immediate precautions. They also shared an encrypted hash as proof of early detection, promising to release the full details once the situation stabilizes to avoid tipping off attackers.
|-
|August 13th, 2023 5:10:00 PM MDT
|Zunami Protocol Attack Tweet
|Zunami Protocol posts on Twitter/X to notify about an attack. They claim that the collateral remains secure.
|-
|August 13th, 2023 5:35:00 PM MDT
|Iron Blocks Attack Analysis
|Iron Blocks starts an analysis of the exploit in Zunami Protocol. This includes publishing the attacker wallet and transaction hash of the attack on UZD.
|-
|August 13th, 2023 6:06:00 PM MDT
|PeckShield Posting Details
|PeckShield shares details about the exploit and how it happens, followed by a tweeted diagram of the funds being washed through TornadoCash. PeckShield does not appear to ever explain what was hashed in their original tweet.
|-
|August 13th, 2023 6:39:00 PM MDT
|Do Not Buy zETH Or UZD
|Zunami Protocol sends a follow up tweet to request users not to buy zETH or UZD at the moment.
|-
|August 13th, 2023 9:39:00 PM MDT
|BlockSecTeam Exploit Details Posted
|BlockSecTeam posts an analysis and technical details of the exploit to the Zunami Protocol smart contract. They link to both transactions and provide details about how the exploit occurred.
|-
|August 14th, 2023 1:11:00 PM MDT
|Rekt News Releases Report
|Rekt News releases an article about the exploit. It covers how Zunami Protocol lost $2.1M due to a price manipulation attack targeting its zETH and UZD Curve pools, explains the technical mechanism involving flash loans and flawed LP price calculations, and highlights the broader implications for DeFi security, including evolving alert practices and debates over disclosure by security firms like Peckshield and BlockSec.
|-
|August 15th, 2023 1:01:00 PM MDT
|Zunami Protocol Releasing PostMortem
|Through a long series of tweets, Zunami Protocol publishes a post-mortem on the zStables exploit, confirming over $2 million was stolen through a price and emissions manipulation attack, while assuring users that omnipool collateral remains safe, will be fully redistributed, and that a fully audited Zunami V2 is on the way.
|-
|August 22nd, 2023 4:11:00 AM MDT
|Advanced Notice Of Reimbursement
|Zunami Protocol publishes important details for users seeking refunds for $UZD and $zETH, based on balances recorded just before the hack. A balance calculation script is available on GitHub, and individual token balances can be verified via linked spreadsheets. Fund distribution is expected to begin next week.
|-
|August 29th, 2023 7:29:00 AM MDT
|Collateral Claims Portal Online
|Zunami Protocol releases a claims portal on their website, which users can now use to claim back their collateral which they were using in the protocol.
|-
|June 13th, 2025 10:04:00 AM MDT
|Second Rekt Article Published
|Rekt News publishes a second article about Zunami Protocol which includes this exploit, after $500k goes missing from the protocol. The chief technology officer Mikhail Zelenin is a primary suspect, however he has a story about border security guards potentially holding his laptop for hours of analysis.
|}

== Technical Details ==
The attack was enabled by a combination of collateral price manipulation and a flaw in the emissions mechanism. Specifically, the attacker used flashloans to artificially inflate the prices of SDT and CRV tokens, which were then used to distort the value calculations in Zunami’s omnipool strategies. This allowed the attacker to exploit the minting and redemption logic of UZD and zETH, draining liquidity from the UZD/FRAXBP and zETH/frxETH pools.

The attacker first donated SDT and CRV tokens to omnipool strategies, which falsely increased the calculated value of protocol holdings. Using this inflated valuation, they manipulated emissions of UZD and zETH, effectively minting them at a profit. The attacker then cashed out the proceeds (about 1,184 ETH or $2.1M) and laundered the funds through Tornado Cash, obscuring their trail. Key vulnerabilities included a flawed totalHoldings function and reliance on manipulated token prices for LP value calculations.

By caching the manipulated price at the right moment, the attacker was able to redeem significantly more assets than were legitimately backed by real value. This price manipulation not only distorted the emission mechanics of the zStables (UZD and zETH), but also allowed the attacker to drain liquidity from Curve pools without immediately triggering conventional slippage or price protection mechanisms.

At the core of the vulnerability was a flaw in the way the protocol calculated the LP (Liquidity Provider) token price—specifically in the totalHoldings function used in strategies like MIMCurveStakeDao. The attackers were able to artificially inflate the price of assets such as SDT (Staked DAO Token) and its associated pricing feed (sdtPrice), misleading the protocol about the true value of the underlying collateral.

The second transaction, which yielded the most profit (~1,152 ETH), involved six coordinated steps. It began with large flash loans: 7 million USDT from Uniswap V3, 7 million USDC, and over 10,000 WETH from Balancer. These funds were used to add liquidity and manipulate token prices across various DeFi platforms. The attacker minted and swapped large volumes of LP tokens like gryFRAX and crvFRAX, eventually converting them into UZD and USDC, while simultaneously inflating SDT prices by conducting large swaps and donations into manipulated Curve pools.

The key manipulation occurred when the attacker cached artificially inflated prices using a function called cacheAssetPrice in the UZO contract. Since the balanceOf function in UZO relied on this cached price, the attacker’s holdings appeared significantly higher than they actually were. With this inflated balance, the attacker could redeem or swap tokens at manipulated values, effectively extracting unearned profit. Finally, they reversed the earlier manipulations, restoring normal pricing and leaving with the inflated UZD as profit. The attack reveals a dangerous combination of price oracle manipulation, flashloan abuse, and flawed on-chain accounting logic.

A technical walkthrough of one of the exploits was provided by BlockSecTeam:

Step 1: Borrow 7,000,000 USDT from the UniswapV3, 7,000,000 USDC and 10,011 WETH from the Balancer.

Step 2: Add liquidity in the CruyeFinance:Swap with 5,750,000 USDC and mint ~5,746,896 the gryFRAX, then swap.

~5,746,896 crvFRAX for ~4,082,046 UZD and 1,250,000 USDC for ~791,280 UZD in the Curve
Step 3 [Price Manipulation]: Swap 71 WETH for ~55,981 SDT in the Curve, then donate all SOT (~55,598) into the.MIMSurvestakeRae

Step 4 {Price Manipulation): Swap 10,000 WETH for ~58,043 SOT and 7,000,000 USDT for ~2,154 WETH in the SushiSwap

Step 5: Cache the price snapshot in the UZO via the function cacheAssetPrice {the price cached has already been manipulated)

Note: Cause the function balanceOf in the UZO contract relies on the incorrect price in the cache, the balance of the ATTACKER is inflated now!

Step 6: Reverse all operations for manipulating the price of UZD and swap all UZD inflated to profit.

== Total Amount Lost ==
According to a post by Iron Blocks, the lost amount was 1,152 ETH, valued at $2,127,000 USD. Other sources regularly cite a figure of $2.1m USD.

The total amount lost has been estimated at $2,127,000 USD.

== Immediate Reactions ==
Zunami Protocol reacted swiftly to the exploit. Within one hour of detecting the attack, the team halted all deposits and withdrawals to prevent further damage and protect remaining user funds. They quickly began analyzing the exploit and worked with security partners, such as BlockSec and SlowMist, to understand the technical root cause and confirm the scope of the damage.

== Ultimate Outcome ==
Zunami publicly acknowledged the breach, assured users that the main omnipool collateral was safe, and committed to returning collateral to users based on pre-attack balances. The team also started developing Zunami V2, incorporating fixes for the vulnerabilities and scheduling a comprehensive audit with a leading security firm to prevent similar attacks in the future. Additionally, they announced a compensation process that would allow affected users to claim their share of collateral in stablecoins (USDT, USDC, DAI) within one to two weeks.

Zunami confirmed that the omnipool collateral is safe and will be returned to holders based on balances prior to the hack. A new version of the protocol, Zunami V2, is in development and will undergo a comprehensive audit. Compensation to users will be provided in USDT, USDC, or DAI within 1–2 weeks, and users will be able to manually claim their share from the contract.

== Total Amount Recovered ==
According to the claims portal launched, "U[u]ers who were affected by the hack on the night of August 13-14 can now access UZD & zETH collateral for the block before the hack.". This became available on August 29th.

There do not appear to have been any funds recovered in this case.

== Ongoing Developments ==
Zunami Protocol launched V2 and continues to operate, though they have been subject to another hack in May 2025.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="zunamirekt2-20210">[https://rekt.news/zunami-protocol-rekt2 Rekt - Zunami Protocol - Rekt II] (Accessed Jun 13, 2025)</ref>

<ref name="zunamirekt1-20230">[https://rekt.news/zunami-protocol-rekt Zunami Protocl - Rekt] (Accessed Jun 13, 2025)</ref>

<ref name="zunamiprotocoltweet1-20231">[https://twitter.com/ZunamiProtocol/status/1690863406079696896 Zunami Protocol - "It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation." - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="peckshieldtweet-20232">[https://twitter.com/peckshield/status/1690857760412610560 PeckShiled - "Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions." - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="zunamiprotocoltweet2-20233">[https://twitter.com/ZunamiProtocol/status/1690885809639948288 "Please do not buy zETH and UZD at the moment, their emission has been attacked." - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="etherscanzeth-20234">[https://etherscan.io/tx/0x2aec4fdb2a09ad4269a410f2c770737626fb62c54e0fa8ac25e8582d4b690cca zETH Attack Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscanuzd-20235">[https://etherscan.io/tx/0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb UZD Attack Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="blocksecteamtweet-20236">[https://twitter.com/BlockSecTeam/status/1690931111776358400 BlockSecTeam - "@ZunamiProtocol was hacked, and the loss is over $2M. It is a price manipulation attack that dues to the flawed calculation of the LP price, i.e., within the totalHoldings function of strategies like MIMCurveStakeDao where sdt and sdtPrice were artificially inflated." - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="collateralrefund-20237">[https://twitter.com/ZunamiProtocol/status/1696515513747423731 Zunami Protocol - "Dear community! Collateral refund for $UZD & $zETH holders for the block before the hack is available through the link: https://claim.zunami.io" - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="zunamiclaim-20238">[https://claim.zunami.io/ Zunami Claim Portal] (Accessed Jun 13, 2025)</ref>

<ref name="rekthqtweet-20239">[https://twitter.com/RektHQ/status/1691165659000877057 RektHQ - "Yesterday, @ZunamiProtocol lost $2.1M to a price manipulation attack. Keeping DeFi safe is a constant game of cat-and-mouse, one that can’t always be won... Who will be next to fall prey?" - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="rekthqtweet-20215">[https://twitter.com/RektHQ/status/1933556211108229310 Rekt HQ - "$500k vanished from @ZunamiProtocol in a May admin key exploit. Months of stagnant development & perfect timing may have paved the way. Team offered weak excuses, dismissed concerns, left users empty-handed. When emergency keys open doors, who's in control? Story in comments." - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="zunamihomepage-20193">[https://www.zunami.io/ Zunami Protocol Homepage] (Accessed Jun 11, 2025)</ref></references>