Zunami is a decentralized protocol operating in the Web3 space, specializing in issuing aggregated stablecoins like UZD and zETH. These stablecoins are generated from omnipools that employ various profit-generating strategies. Recently, the protocol was exploited, resulting in a loss of $2.1M. The exploit specifically targeted Zunami's UZD and zETH liquidity pools on the Curve ecosystem. This analysis delves into the impact and mechanisms for this kind of vulnerability.
Hack Impact
The Zunami Protocol experienced a severe price manipulation attack that led to a loss of approximately $2.1M. The attacker was able to exploit Zunami’s zETH and UZD liquidity pools on the Curve platform. This caused the zStables (zETH and UZD) to depeg dramatically - zETH by 85% and UZD by 99%.
The Hack Explained:
Flash Loans: The attacker borrowed 7,000,000 USDT from Uniswap v3, 7,000,000 USDC, and 10,011 WETH from Balancer.
Liquidity Manipulation: Using the borrowed 5,750,000 USDC, the attacker minted 5,746,896 Curve tokens (crvFrax). These were then swapped for 4,082,046 UZD and 791,280 UZD using 1,250,000 USDC in Curve Finance.
Price Manipulation Step 1: 11 WETH were swapped for 55,981 SDT in Curve, all of which were donated into the MIMCurveStakeDAO, leading to an initial inflation of the SDT price.
Price Manipulation Step 2: An additional 10,000 WETH was swapped for 58,043 SDT, and 7,000,000 USDT was swapped for 2,154 WETH in Sushiswap, further escalating the SDT price manipulation.
Flaw in totalHoldings Function: The flawed totalHoldings function within strategies like MIMCurveStakeDao was manipulated as part of the attack. Here, the sdt and sdtPrice were artificially inflated, contributing to incorrect liquidity pool (LP) price calculations.
Cache Manipulation: The attacker then cached this manipulated price into the UZD contract via the cacheAssetPrice function, inflating their balance in the UZD contract.
Profit Realization: Finally, the attacker reversed all operations that manipulated the UZD price and converted all the inflated UZD into a profit of approximately (~$2.1M at the time of the attack).
The Zunami Protocol hack serves as a cautionary tale about the risks and vulnerabilities present in complex decentralized financial systems. The exploitation capitalized on multiple weaknesses in Zunami's design, leading to a substantial loss of funds and trust. Given the growing number of such exploits, it's imperative for projects in the DeFi space to take robust security measures seriously, undergoing rigorous audits from a reputed audit firm like Blockapex and implementing strong protective mechanisms to shield both their assets and their user base.
An off-chain transaction deals with values outside the blockchain and can be completed using a lot of methods. To carry out any kind of transaction, both functioning entities should first be in agreement, after that a third-party comes into the picture to validate it.
Flower Fam is an NFT-based project, after you mint your NFT you can “harvest” them on weekly bases to get 60% royalties. It's quite simple: every flower has a 10% chance to win. The rarer the species of a flower.
Script TV is a decentralized video delivery network that furnishes an expansive range of blockchain-enabled solutions to the problems related to the traditional video-streaming sector.
The SEC describes its motives to be the safeguarding of investors, while members of the blockchain community see their actions as sabotage. Read more to find out the history of this controversy and its implications on the general definition of security.
On April 9, 2023, SushiSwap suffered a security breach which led to a loss of over $3.3 million. The attack exploited a flaw in the RouteProcessor2 contract of SushiSwap's router processor. The fallout was felt across several major chains that had previously authorized the RouteProcessor2 contract.
Security and privacy are among the top issues expected to arise in the metaverse. Some have even gone so far as to say that the metaverse is capitalizing on users' desire to escape from reality.
BlockApex (Auditor) was contracted by KaliCo LLC_ (Client) for the purpose of conducting a Smart Contract Audit/Code Review of KaliDAO. This document presents the findings of our analysis which took place from 20th of December 2021
A major pillar of blockchain technology is transparency. This means that any system built on blockchain is by definition public- a fact that introduces an entirely new set of vulnerabilities and threats. As a result, cleverly orchestrated hacks on blockchain solutions are not an uncommon feat. Even the biggest names in the field continue to suffer from attacks, resulting in losses equating to millions of dollars.
Learn how Fuzz Driven Development (FDD) transforms software testing by assisting programmers and testers in overcoming prejudices for improved code quality, security, and performance.