Zunami Protocol Pool Price Imbalance Arbitrage Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Zunami Protocol Logo/Homepage

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]

About Zunami Protocol

Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.

The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.

The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.

Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.

The Reality

After suffering a sandwich attack, the Zunami Protocol was left in a position of arbitrage, which was able to be exploited for additional profit.

What Happened

An attacker was able to exploit low liquidity in the DAI/USDC pair, creating a price discrepancy exploitable through a flashloan attack to drain liquidity pools.

Key Event Timeline - Zunami Protocol Pool Price Imbalance Arbitrage Exploit
Date Event Description
January 26th, 2023 7:14:23 AM MST Stablecoin Swap Sandwich Attack The Zunami Protocol team swaps 66,888 DAI and receives only 17,230 USDC due to a sandwich attack against their transaction in the mempool. This is reportedly "while transferring funds to the new XAI + FRAXBP pool".
January 29th, 2023 4:14:00 PM MST Silo Finance Sees Deposit Already Silo Finance reports on the sandwich attack transaction as "a 130k XAI-FRAXBP deposit" in a tweet shortly after an announcement of a partnership between the two projects.
February 3rd, 2023 9:00:11 AM MST First Arbitrage Transactions The first arbitrage swap which is exploiting the price discrepancy.
February 3rd, 2023 9:00:47 AM MST Final Arbitrage Transactions The final arbitrage transaction which exploits the price discrepancy for profit.
February 5th, 2023 7:31:21 AM MST Zunami Protocol Attacked Twice An article is published on Medium which highlights two attacks against the Zunami Protocol.
February 8th, 2023 4:06:55 AM MST Zunami Protocol Compensation Plan Zunami publishes a compensation plan on their Medium. While the stolen funds cannot be recovered, the team ensures that current user funds are safe and has introduced changes to prevent future exploits. As part of the compensation, users who maintain their ZLP and UZD holdings through the end of 2023 without reducing balances will be eligible for reimbursement. The plan will be funded through the protocol’s treasury, a future insurance fund, bond market revenues, and development reserves.
June 13th, 2025 10:04:00 AM MDT Second Rekt Article Published Rekt News publishes a second article about Zunami Protocol which includes this exploit, after $500k goes missing from the protocol. The chief technology officer Mikhail Zelenin is a primary suspect, however he has a story about border security guards potentially holding his laptop for hours of analysis.

Technical Details

The attack targeted a swap operation involving the conversion of 66,888 DAI to USDC via a decentralized exchange. This transaction was captured in the mempool before confirmation and manipulated through a classic sandwich attack — a strategy where an MEV bot places a transaction just before and after a victim’s swap to extract profit by manipulating token prices. Specifically, the attacker executed a front-running swap to skew the price curve against the victim, then allowed the victim’s transaction to execute at a worse rate, and finally executed a back-running swap to restore prices and pocket the arbitrage.

As a result, Zunami received only 17,230 USDC for 66,888 DAI — far below the expected rate (implying a massive slippage and effective loss of ~$49,658). This shows the attacker was able to exploit liquidity asymmetries or low depth in the DAI/USDC pair, likely via SushiSwap or a related AMM pool, by inflating USDC price through their front-running trade and offloading after Zunami's unfavorable execution.

The consequence extended beyond the direct loss. The artificially poor execution caused a distorted valuation of the Zunami LP token (ZLP) in the XAI + FRAXBP pool, dropping its price to $0.8213 while it remained at $1.1252 in the MIM pool. This mispricing opened the door for a second, more complex flashloan attack, where an attacker could buy ZLP cheaply in one pool and redeem it at the higher price in another — exploiting the price delta and lack of cross-pool price sync.

Total Amount Lost

According to the Zunami Protocol team, "In total, the attackers stole $260k." This figure was also later included in an article published by Rekt News.

The total amount lost has been estimated at $260,000 USD.

Immediate Reactions

The Zunami team responded swiftly to the attack by halting all deposits and withdrawals within one hour to prevent further exploitation and ensure the safety of user funds. This immediate action helped contain the damage and allowed the team to assess the situation before resuming normal operations.

To mitigate future risks, the team implemented several key security measures. They deployed a new contract for the XAI strategy with built-in amount controls to defend against MEV-style attacks. Additionally, direct deposits and withdrawals were capped at 100,000, making large-scale attacks economically unfeasible, while delegated transactions (handled by trusted intermediaries) remain unrestricted.

Finally, the team is actively working on a compensation plan to reimburse users for the $260,000 lost across the two attacks. The plan is expected to be released in the coming days, reaffirming the team’s commitment to transparency and user protection.

Ultimate Outcome

Zunami published a plan to compensate users fully for their losses in this exploit.

Total Amount Recovered

The team reported to be preparing a compensation plan for the attack in a Medium article which they published entitled "The Zunami Protocol has come under two attacks" on February 5th, 2023.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Zunami Protocol continues to operate, and would suffer future exploits.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Zunami Protocol - Rekt II (Accessed Jun 13, 2025)
  2. The Zunami Protocol has come under two attacks - Zunami Protocol Medium (Accessed Jun 13, 2025)
  3. First Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  4. Second Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  5. Third Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  6. Fourth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  7. Fifth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  8. Sixth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  9. Seventh Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  10. Eighth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  11. Ninth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  12. Tenth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  13. Eleventh Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  14. Twelfth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  15. Thirteenth Arbitrage Swap Transaction - Etherscan (Accessed Jun 13, 2025)
  16. Compensation Plan - Zunami Protocol Medium (Accessed Jun 13, 2025)
  17. Spreadsheet For Compensation - Google Sheet (Accessed Jun 13, 2025)
  18. Rekt HQ - "$500k vanished from @ZunamiProtocol in a May admin key exploit. Months of stagnant development & perfect timing may have paved the way. Team offered weak excuses, dismissed concerns, left users empty-handed. When emergency keys open doors, who's in control? Story in comments." - Twitter/X (Accessed Jun 13, 2025)
  19. Zunami Protocol Homepage (Accessed Jun 11, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Zunami_Protocol_Pool_Price_Imbalance_Arbitrage_Exploit&oldid=6777"