Zunami Protocol Pool Price Imbalance Arbitrage Exploit - Revision history

Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zunamiprotocolpoolpriceimbalancearbitrageexploit.php}} {{Unattributed Sources}} Zunami Protocol Logo/Homepage
2025-06-16T22:41:02Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zunamiprotocolpoolpriceimbalancearbitrageexploit.php}} {{Unattributed Sources}} thumb|Zunami Protocol Logo/Homepage<ref name="zunamirekt2-20210" /><ref name="zunamiprotocolmedium-20211" /><ref name="etherscan1-20216" /><ref name="etherscan2-20217" /><ref name="etherscan3-20218" /><ref name="etherscan4-20219" /><ref name="etherscan5-20220" /><ref name="ethersc..."

New page
{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zunamiprotocolpoolpriceimbalancearbitrageexploit.php}}
{{Unattributed Sources}}

[[File:Zunamiprotocol.jpg|thumb|Zunami Protocol Logo/Homepage]]<ref name="zunamirekt2-20210" /><ref name="zunamiprotocolmedium-20211" /><ref name="etherscan1-20216" /><ref name="etherscan2-20217" /><ref name="etherscan3-20218" /><ref name="etherscan4-20219" /><ref name="etherscan5-20220" /><ref name="etherscan6-20221" /><ref name="etherscan7-20222" /><ref name="etherscan8-20223" /><ref name="etherscan9-20224" /><ref name="etherscan10-20225" /><ref name="etherscan11-20226" /><ref name="etherscan12-20227" /><ref name="etherscan13-20228" /><ref name="compensationplan-20214" /><ref name="compensationspreadsheet-20229" /><ref name="rekthqtweet-20215" /><ref name="zunamihomepage-20193" />

== About Zunami Protocol ==
Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.

The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.

The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.

Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.

== The Reality ==
After suffering a sandwich attack, the Zunami Protocol was left in a position of arbitrage, which was able to be exploited for additional profit.

== What Happened ==
An attacker was able to exploit low liquidity in the DAI/USDC pair, creating a price discrepancy exploitable through a flashloan attack to drain liquidity pools.
{| class="wikitable"
|+Key Event Timeline - Zunami Protocol Pool Price Imbalance Arbitrage Exploit
!Date
!Event
!Description
|-
|January 26th, 2023 7:14:23 AM MST
|Stablecoin Swap Sandwich Attack
|The Zunami Protocol team swaps 66,888 DAI and receives only 17,230 USDC due to a sandwich attack against their transaction in the mempool. This is reportedly "while transferring funds to the new XAI + FRAXBP pool".
|-
|January 29th, 2023 4:14:00 PM MST
|Silo Finance Sees Deposit Already
|Silo Finance reports on the sandwich attack transaction as "a 130k XAI-FRAXBP deposit" in a tweet shortly after an announcement of a partnership between the two projects.
|-
|February 3rd, 2023 9:00:11 AM MST
|First Arbitrage Transactions
|The first arbitrage swap which is exploiting the price discrepancy.
|-
|February 3rd, 2023 9:00:47 AM MST
|Final Arbitrage Transactions
|The final arbitrage transaction which exploits the price discrepancy for profit.
|-
|February 5th, 2023 7:31:21 AM MST
|Zunami Protocol Attacked Twice
|An article is published on Medium which highlights two attacks against the Zunami Protocol.
|-
|February 8th, 2023 4:06:55 AM MST
|Zunami Protocol Compensation Plan
|Zunami publishes a compensation plan on their Medium. While the stolen funds cannot be recovered, the team ensures that current user funds are safe and has introduced changes to prevent future exploits. As part of the compensation, users who maintain their ZLP and UZD holdings through the end of 2023 without reducing balances will be eligible for reimbursement. The plan will be funded through the protocol’s treasury, a future insurance fund, bond market revenues, and development reserves.
|-
|June 13th, 2025 10:04:00 AM MDT
|Second Rekt Article Published
|Rekt News publishes a second article about Zunami Protocol which includes this exploit, after $500k goes missing from the protocol. The chief technology officer Mikhail Zelenin is a primary suspect, however he has a story about border security guards potentially holding his laptop for hours of analysis.
|}

== Technical Details ==
The attack targeted a swap operation involving the conversion of 66,888 DAI to USDC via a decentralized exchange. This transaction was captured in the mempool before confirmation and manipulated through a classic sandwich attack — a strategy where an MEV bot places a transaction just before and after a victim’s swap to extract profit by manipulating token prices. Specifically, the attacker executed a front-running swap to skew the price curve against the victim, then allowed the victim’s transaction to execute at a worse rate, and finally executed a back-running swap to restore prices and pocket the arbitrage.

As a result, Zunami received only 17,230 USDC for 66,888 DAI — far below the expected rate (implying a massive slippage and effective loss of ~$49,658). This shows the attacker was able to exploit liquidity asymmetries or low depth in the DAI/USDC pair, likely via SushiSwap or a related AMM pool, by inflating USDC price through their front-running trade and offloading after Zunami's unfavorable execution.

The consequence extended beyond the direct loss. The artificially poor execution caused a distorted valuation of the Zunami LP token (ZLP) in the XAI + FRAXBP pool, dropping its price to $0.8213 while it remained at $1.1252 in the MIM pool. This mispricing opened the door for a second, more complex flashloan attack, where an attacker could buy ZLP cheaply in one pool and redeem it at the higher price in another — exploiting the price delta and lack of cross-pool price sync.

== Total Amount Lost ==
According to the Zunami Protocol team, "In total, the attackers stole $260k." This figure was also later included in an article published by Rekt News.

The total amount lost has been estimated at $260,000 USD.

== Immediate Reactions ==
The Zunami team responded swiftly to the attack by halting all deposits and withdrawals within one hour to prevent further exploitation and ensure the safety of user funds. This immediate action helped contain the damage and allowed the team to assess the situation before resuming normal operations.

To mitigate future risks, the team implemented several key security measures. They deployed a new contract for the XAI strategy with built-in amount controls to defend against MEV-style attacks. Additionally, direct deposits and withdrawals were capped at 100,000, making large-scale attacks economically unfeasible, while delegated transactions (handled by trusted intermediaries) remain unrestricted.

Finally, the team is actively working on a compensation plan to reimburse users for the $260,000 lost across the two attacks. The plan is expected to be released in the coming days, reaffirming the team’s commitment to transparency and user protection.

== Ultimate Outcome ==
Zunami published a plan to compensate users fully for their losses in this exploit.

== Total Amount Recovered ==
The team reported to be preparing a compensation plan for the attack in a Medium article which they published entitled "The Zunami Protocol has come under two attacks" on February 5th, 2023.

There do not appear to have been any funds recovered in this case.

== Ongoing Developments ==
Zunami Protocol continues to operate, and would suffer future exploits.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="zunamirekt2-20210">[https://rekt.news/zunami-protocol-rekt2 Rekt - Zunami Protocol - Rekt II] (Accessed Jun 13, 2025)</ref>

<ref name="zunamiprotocolmedium-20211">[https://zunamiprotocol.medium.com/the-zunami-protocol-has-come-under-two-attacks-e201a8a0ec6c The Zunami Protocol has come under two attacks - Zunami Protocol Medium] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan1-20216">[https://etherscan.io/tx/0x9fe927823f58ddaeb18f40c665108941192881fe3daff86db6328c9cb723bc91 First Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan2-20217">[https://etherscan.io/tx/0xc6ad352f7c6a5494669479d66f10730423f56e8a78d8dc11860c7bec7703f3c0 Second Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan3-20218">[https://etherscan.io/tx/0xff7188719dc4f757b5d55e96644c733b48f79b74d7a3302e3313607577dd1e3c Third Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan4-20219">[https://etherscan.io/tx/0x54b9779c50dc05ec7b5b184bfecd47962c89332ead00d31d830b995b3a75089b Fourth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan5-20220">[https://etherscan.io/tx/0x08167233162667f4b6803ac12607f57de48bcd502095ad90434f1a16e9f4b894 Fifth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan6-20221">[https://etherscan.io/tx/0xcc514c5dd367c6fd298148cb0c56dab499d4fd7dcc94b28ed2f0952cc15ec343 Sixth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan7-20222">[https://etherscan.io/tx/0x600b06f4cfaac69525998afb71a63f167d598c923e0b2f9932c86a863cc50611 Seventh Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan8-20223">[https://etherscan.io/tx/0x0053946288abc81fc15eebf7517de7e05846e054f7aa8e69b9834cdbd2773518 Eighth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan9-20224">[https://etherscan.io/tx/0xbd3311c0dbd6049ff99a7bcd9f570c66a4ed176ed272e589cd85702dd2f493b0 Ninth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan10-20225">[https://etherscan.io/tx/0xe6eff1573606e80396b21f011510ac5c5415c45775b9af67a744b164f186f446 Tenth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan11-20226">[https://etherscan.io/tx/0x8e4ba72e5a7a152b22c778652d3b4062333e16acc1a30edcad1689bd193fbe96 Eleventh Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan12-20227">[https://etherscan.io/tx/0xf28c50293342dcaba5be567ace113ec1ed40f940bea8a97a1cf253361c2bf062 Twelfth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="etherscan13-20228">[https://etherscan.io/tx/0x59b92c023d0e7c0749b92a1252fb7fdc23061da2a8d853a406587f8173a33183 Thirteenth Arbitrage Swap Transaction - Etherscan] (Accessed Jun 13, 2025)</ref>

<ref name="compensationplan-20214">[https://zunamiprotocol.medium.com/compensation-plan-2964af44976 Compensation Plan - Zunami Protocol Medium] (Accessed Jun 13, 2025)</ref>

<ref name="compensationspreadsheet-20229">[https://docs.google.com/spreadsheets/d/1iR5WJi-8xeAY6cEg3oVFKbsx1j23WALYsZwLX-MRtI0/edit Spreadsheet For Compensation - Google Sheet] (Accessed Jun 13, 2025)</ref>

<ref name="rekthqtweet-20215">[https://twitter.com/RektHQ/status/1933556211108229310 Rekt HQ - "$500k vanished from @ZunamiProtocol in a May admin key exploit. Months of stagnant development & perfect timing may have paved the way. Team offered weak excuses, dismissed concerns, left users empty-handed. When emergency keys open doors, who's in control? Story in comments." - Twitter/X] (Accessed Jun 13, 2025)</ref>

<ref name="zunamihomepage-20193">[https://www.zunami.io/ Zunami Protocol Homepage] (Accessed Jun 11, 2025)</ref></references>