Zunami Protocol Compromised Admin All Collateral Drained

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Zunami Protocol Logo/Homepage

Zunami Protocol is a decentralized finance platform that optimizes yield by issuing aggregated stablecoins like zunUSD and zunETH, backed by diversified assets managed in omnipools across major DeFi platforms. Governed by ZUN token holders through DAO voting, it offers around 20% APY with automated portfolio rebalancing and strong decentralization features. However, a recent exploit occurred when an attacker gained control of an admin-level wallet, withdrew $500,000 in collateral, and quickly laundered the funds through Tornado Cash. This protocol-level breach was beyond user control, and while the team acknowledged the hack and launched an investigation, reimbursement seems unlikely. The founder continues to probe the incident.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]

About Zunami Protocol

Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.

The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.

The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.

Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.

The Reality

Unfortunately, it appears that the private key for the Zunami Protocol was not held securely.

What Happened

Zunami Protocol was exploited for approximately $500,000 after an attacker gained unauthorized access to a privileged wallet and withdrew collateral backing its stablecoins.

Key Event Timeline - Zunami Protocol Compromised Admin All Collateral Drained
Date Event Description
May 14th, 2025 3:42:47 PM MDT First Emergency Withdrawal Transaction The first emergency withdrawal transaction on the Ethereum blockchain.
May 14th, 2025 3:52:59 PM MDT Funds Start Going To TornadoCash The stolen funds start being cashed out through TornadoCash.
May 15th, 2025 6:32:00 AM MDT Zunami Protocol Notification Tweet Zunami Protocol posts on Twitter with a very initial tweet noting that the zunUSD and zunETH have been stolen. They claim to be investigating the situation.
May 16th, 2025 12:18:04 AM MDT Analysis By Securrtech Securrtech publishes an analysis of the exploit on Medium. Securrtech’s analysis provides a detailed account of the $500,000 security breach that occurred on May 15, 2025. The report begins with an overview of the incident, noting that the attacker targeted the collateral backing Zunami’s flagship stablecoins, zunUSD and zunETH, and quickly moved the stolen funds through Tornado Cash to obscure their trail.
May 29th, 2025 10:49:00 AM MDT Update From Founder Sterx Sterx, the founder of Zunami Protocol, provides a Twitter/X update stating that the team is actively investigating the recent exploit and is considering both possibilities: a compromised deployer wallet or malicious intent by the key holder. They are collaborating with a professional investigator to uncover the root cause and have committed to sharing the full results of the investigation once they become available.
June 10th, 2025 6:33:00 AM MDT Update From Chief Technology Officer Zunami Protocol chief technology officer Mikhail Zelenin issued a personal apology for his absence following the hack, explaining he needed time to recover psychologically. He suspects the breach may have stemmed from Russian border police cloning his laptop during a border crossing, gaining access to unsecured source code. Despite transitioning to a DAO, some security updates were overlooked due to limited development resources, and he admits to making critical mistakes while managing the project alone.
June 13th, 2025 10:04:00 AM MDT Second Rekt Article Published Rekt News publishes a second article about Zunami Protocol which includes this exploit, after $500k goes missing from the protocol. The chief technology officer Mikhail Zelenin is a primary suspect, however he has a story about border security guards potentially holding his laptop for hours of analysis.

Technical Details

This exploit stemmed from a compromise of privileged access. The attacker appears to have obtained control over an admin-level wallet, which allowed them to withdraw and redeem protocol collateral without triggering traditional safeguards. Once the assets were redeemed, the attacker funneled the resulting ETH through a crypto mixer, effectively concealing their identity.

This was a protocol-level exploit, meaning end users could not have prevented the attack, and no action was required from them during the breach.

Total Amount Lost

Sources all appear to consistently report the amount of the loss at $500k.

The total amount lost has been estimated at $500,000 USD.

Immediate Reactions

It is reported that the team's first reaction on Discord was simply the word "Rekt".

The team later followed up to acknowledge the hack on Twitter/X.

Ultimate Outcome

Funds were moved through TornadoCash within 10 minutes of the exploit. An investigation was started.

Total Amount Recovered

Investigation is ongoing and there does not appear to be any hope of reimbursement.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

The founder is reportedly still investigating the exploit. There are two theories being explored. The CTO Mikhail Zelenin provided an alternate explanation involving border security seizing the funds:

"Guys, I am deeply sorry for not being in contact with the community. It was very hard to receive the hack message again, so I spent some time with a specialist to get my psyche back to normal.

Phil, the founder Kirill has access to the key as well. I personally sent it to him in the beginning. Three of us have keys. My current hypothesis is that during my crossing of the Russian border, my laptop was deeply investigated by Russian police. I am not sure what software they have, but for many hours it was in police possession. All source codes of the protocol were there without cryptographic security.

The second problem is that during the switch to the DAO, the strategies weren't switched because I was sure that I had done it before. Because of the absence of investment in the protocol, I was the only developer and I was trying my best to support it, but I made simple mistakes even though the protocol was fully rewritten for safety.

I still don't have any other hypothesis except the cloning of my hard drive and investigating it at the airport border."

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Zunami Protocol - "The Zunami protocol has been hacked — the collateral for zunUSD & zunETH has been stolen. We are currently investigating the situation." - Twitter/X (Accessed Jun 11, 2025)
  2. Sterx - "We’re investigating the exploit and considering both scenarios: a compromised deployer or malicious intent by the key holder. We're working with a professional investigator and will share the results of the investigation once available." - Twitter/X (Accessed Jun 11, 2025)
  3. Zunami Protocol Hack: Anatomy of a $500K DeFi Exploit - Securrtech Medium (Accessed Jun 11, 2025)
  4. Securrtech - "Another DeFi hack hits the headlines! @ZunamiProtocol just lost $500K in an Access Control exploit. Want to know how it happened? Dive into our full breakdown." - Twitter/X (Accessed Jun 11, 2025)
  5. Attacker's Wallet On Etherscan (Accessed Jun 11, 2025)
  6. First Theft Transaction - Etherscan (Accessed Jun 11, 2025)
  7. First TornadoCash Transaction - Etherscan (Accessed Jun 11, 2025)
  8. SuplabsYi - "@ZunamiProtocol has been hacked again, though this time the approach was quite different. One could argue that bad actor are now favoring techniques that better conceal their tracks. After all, based on past incidents, it’s tough to pinpoint the true cause of *pk* compromises." - Twitter/X (Accessed Jun 11, 2025)
  9. OpenCover - "@ZunamiProtocol was hacked for $500k." - Twitter/X (Accessed Jun 11, 2025)
  10. TenArmorAlert - "TenArmor Security Alert #ZunamiProtocol has been hacked! Stay vigilant!" - Twitter/X (Accessed Jun 11, 2025)
  11. 0xDavid - "Zunami gets hacked and the team first response on discord is "rekt" lmfao" - Twitter/X (Accessed Jun 11, 2025)
  12. Frog E-nomics - "Audits are worthless . Everyone of these auditors is offered market information ahead of time , they capitalize , and the outcomes are the same" - Twitter/X (Accessed Jun 11, 2025)
  13. RD Auditors - "This is the second time your protocol has been hacked. This time the hacker was granted the master key access to the protocol and withdrew $500k." - Twitter/X (Accessed Jun 11, 2025)
  14. Tony Kebot - "admin pk compromised or insider job? admin grants priviledged role to theft theft then 'withdraw stuck tokens'" - Twitter/X (Accessed Jun 11, 2025)
  15. AMLBot - "@ZunamiProtocol disclosed a cyberattack that led to the theft of approximately $500k in collateral from its $zunUSD and $zunETH assets. The stolen funds were transferred to Tornado Cash, a platform known for enabling anonymous transactions." - Twitter/X (Accessed Jun 11, 2025)
  16. Michael Egorov - "Tbf it was admin key compromise in Zunami. What is worse, admin key existed!" - Twitter/X (Accessed Jun 11, 2025)
  17. PeckShield - "#PeckShieldAlert #ZunamiProtocol reports being hacked, with collateral for zunUSD and zunETH stolen, resulting in a loss of ~$500K. The exploiter has transferred the stolen funds to #TornadoCash." - Twitter/X (Accessed Jun 11, 2025)
  18. Web3 Watchdog - "PeckShieldAlert: #PeckShieldAlert #ZunamiProtocol reports being hacked, with collateral for zunUSD and zunETH stolen, resulting in a loss of ~$500K. The exploiter has transferred the stolen funds to #TornadoCash." - Twitter/X (Accessed Jun 11, 2025)
  19. Zunami Protocol Homepage (Accessed Jun 11, 2025)
  20. Rekt - Zunami Protocol - Rekt II (Accessed Jun 13, 2025)
  21. Solved the Problem of Isolation, Bought a Ferrari, and Moved into a Penthouse - Teletype (Accessed Jun 13, 2025)
  22. MioGreen - "Guys, I am deeply sorry for not being in contact with the community. It was very hard to receive the hack message again, so I spent some time with a specialist to get my psyche back to normal... I still don't have any other hypothesis except the cloning of my hard drive and investigating it at the airport border." - Discord (Accessed Jun 13, 2025)