ZUNAMI - Hack Analysis

Table Of Content



Zunami is a decentralized protocol operating in the Web3 space, specializing in issuing aggregated stablecoins like UZD and zETH. These stablecoins are generated from omnipools that employ various profit-generating strategies. Recently, the protocol was exploited, resulting in a loss of $2.1M. The exploit specifically targeted Zunami's UZD and zETH liquidity pools on the Curve ecosystem. This analysis delves into the impact and mechanisms for this kind of vulnerability.

Hack Impact

The Zunami Protocol experienced a severe price manipulation attack that led to a loss of approximately $2.1M. The attacker was able to exploit Zunami’s zETH and UZD liquidity pools on the Curve platform. This caused the zStables (zETH and UZD) to depeg dramatically - zETH by 85% and UZD by 99%.

The Hack Explained:

  • Flash Loans: The attacker borrowed 7,000,000 USDT from Uniswap v3, 7,000,000 USDC, and 10,011 WETH from Balancer.
  • Liquidity Manipulation: Using the borrowed 5,750,000 USDC, the attacker minted 5,746,896 Curve tokens (crvFrax). These were then swapped for 4,082,046 UZD and 791,280 UZD using 1,250,000 USDC in Curve Finance.
  • Price Manipulation Step 1: 11 WETH were swapped for 55,981 SDT in Curve, all of which were donated into the MIMCurveStakeDAO, leading to an initial inflation of the SDT price.
  • Price Manipulation Step 2: An additional 10,000 WETH was swapped for 58,043 SDT, and 7,000,000 USDT was swapped for 2,154 WETH in Sushiswap, further escalating the SDT price manipulation.
  • Flaw in totalHoldings Function: The flawed totalHoldings function within strategies like MIMCurveStakeDao was manipulated as part of the attack. Here, the sdt and sdtPrice were artificially inflated, contributing to incorrect liquidity pool (LP) price calculations.
  • Cache Manipulation: The attacker then cached this manipulated price into the UZD contract via the cacheAssetPrice function, inflating their balance in the UZD contract.
  • Profit Realization: Finally, the attacker reversed all operations that manipulated the UZD price and converted all the inflated UZD into a profit of approximately (~$2.1M at the time of the attack).

Transactions Involved


Protocol Response


The Zunami Protocol hack serves as a cautionary tale about the risks and vulnerabilities present in complex decentralized financial systems. The exploitation capitalized on multiple weaknesses in Zunami's design, leading to a substantial loss of funds and trust. Given the growing number of such exploits, it's imperative for projects in the DeFi space to take robust security measures seriously, undergoing rigorous audits from a reputed audit firm like Blockapex and implementing strong protective mechanisms to shield both their assets and their user base.

More Audits

Chainpals Token Audit Report

The main contract is called Chainpals Token. The minting and transfer of the complete supply is done during deployment. This means new tokens can only be minted if the old ones are burnt.

The State of Startups Security in Pakistan

The security team at BlockApex decided to test these applications for vulnerabilities that could compromise their data. We knew that the software industry in Pakistan always keeps security out of their toolkit to reduce the cost of development.

Rain Protocol Audit Report

Rain Protocol lets you build web3 economies at any scale.Rain scripts are a combination of low level functions (opcodes) like addition and subtraction and very high level functions like fetching an ERC20 balance at a given snapshot ID (Open Zeppelin), or fetching a chainlink oracle price.

Polkalokr Matic Bridge Contract Audit Report

The analysis indicates that the contracts audited are secured and follow the best practices.
Our team performed a technique called “Filtered Audit”, where the contract was separately audited by two individuals. After their thorough and rigorous process of manual testing, an automated review was carried out using Slither, and Manticore. All the flags raised were manually reviewed and re-tested.

Unipilot Final Audit Report

In our first iteration, we found 1 critical-risk issue, 4 high-risk issues, 1 medium-risk, 1 low-risk issue and 1 informatory issue. All these issues were refactored and fixes have been made. A detailed report on the first review can be found here.

Infiltrating the EVM-I: Demystifying Smart Contracts & Auditing

Infiltrating the EVM-I: Demystifying Smart Contracts & Auditing comprises of information about compilation breakdown of solidity code, the vulnerable components of blockchain ecosystem and how Smart contract auditing is crucial.

The Poly Network Hack: Who to Blame?

What was essentially the biggest hack in the history of cryptocurrency became a valuable lesson on the importance of security and just how powerless big organizations can become in the face of powerful hackers. The unusual trajectory of this incident also begs the question of where to place the blame in these kinds of attacks. Read more to find out exactly how the hack took place as we analyze the most pressing questions surrounding this attack.

Curve Finance Hacked, $570k Stolen!

On Tuesday, 9th August, Curve Finance suffered from a DNS attack causing theft of a whooping $570,000+ USD.

Beanstalk Hack Analysis & POC (Apr 17, 2022)

Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023