The DeFi yield farming aggregator promised "the highest APY on the market."
Ryan Ozawa•
The Zunami Protocol, a decentralized finance (DeFi) platform, confirmed Sunday that its liquidity pool on Curve Finance was attacked, leading to a loss of over $2.1 million. The hack was reported by blockchain security firms PeckShield and Ironblocks.
Zunami Protocol is a yield farming aggregator for stablecoin staking, and maintained its primary "zStables" pool on Curve, which enables the decentralized exchange (DEX) of stablecoins within Ethereum.
Zunami, managed as a decentralized autonomous organization (DAO), promised "the highest APY on the market" and touted $5 million total value locked on its website. The cross-chain protocol claimed to allow users to "diversify their stablecoin portfolio and avoid the risk of crashing one of them."
The scheme used in the attack was a familiar one to blockchain watchers.
"The attacker took [a] flash loan from [the] balancer, then he added liquidity so he [would] be able to change the price significantly and started to trade in Zunami's exchange," Ironblocks explained. "Then he removed the liquidity and changed the price, then he traded back and [returned] the flash loan and got 1,152 ETH to himself.
"Classic price manipulation," Ironblocks concluded.
Fellow blockchain analysis firm PeckShield, which has been tracking attacks on Curve, also detected the Zunami attack and notified the protocol on Twitter.
"Today's hack leads to more than $2.1 million loss and there are two hack transactions involved," Peckshield explained in a follow up. "It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price."
"It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation," Zunami posted to Twitter a few moments later. "Please do not buy zETH and UZD at the moment, their emission has been attacked."
The price of both the Zunami USD stablecoin (UZD) and Zunami Ether (zETH) fell precipitously as a result of the hack, with the former collapsing entirely—more than 99%—and the latter plummeting over 88% to $206.
The funds have already been washed through controversial coin mixer Tornado Cash, the firm reported.
Curve Finance has struggled with multiple attacks in recent weeks, and is still attempting to recover about $19 million stolen by a hacker—and put out a $1.8 million bounty for information leading to the identity of the perpetrator.