The Zunami Protocol, a decentralized finance (DeFi) platform, confirmed Sunday that its liquidity pool on Curve Finance was attacked, leading to a loss of over $2.1 million. The hack was reported by blockchain security firms PeckShield and Ironblocks.
Zunami Protocol is a yield farming aggregator for stablecoin staking, and maintained its primary "zStables" pool on Curve, which enables the decentralized exchange (DEX) of stablecoins within Ethereum.
Zunami, managed as a decentralized autonomous organization (DAO), promised "the highest APY on the market" and touted $5 million total value locked on its website. The cross-chain protocol claimed to allow users to "diversify their stablecoin portfolio and avoid the risk of crashing one of them."
The scheme used in the attack was a familiar one to blockchain watchers.
"The attacker took [a] flash loan from [the] balancer, then he added liquidity so he [would] be able to change the price significantly and started to trade in Zunami's exchange," Ironblocks explained. "Then he removed the liquidity and changed the price, then he traded back and [returned] the flash loan and got 1,152 ETH to himself.
This morning, Curve Finance said that apart from several Ethereum pools, an Arbitrum-based liquidity pool may have also been "potentially affected" over the weekend.
Curve Finance is a popular decentralized exchange (DEX), letting users swap like-assets such as Ethereum for Staked Ethereum, or Tether's USDT for Circle's USDC. It can be a helpful arbitrage tool for many traders should those assets decouple in price from one another.
Per initial reports, the platform was exploited on Sunday for ov...
Fellow blockchain analysis firm PeckShield, which has been tracking attacks on Curve, also detected the Zunami attack and notified the protocol on Twitter.
Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions.
Here is the encrypted hash: 2638ae2969ce932d61c3ca66f9b8a4a6c01c4d89bb2b34ddcf2c4145960f41c4. Actual hash will be released once the situation is stable.
"Today's hack leads to more than $2.1 million loss and there are two hack transactions involved," Peckshield explained in a follow up. "It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price."
"It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation," Zunami posted to Twitter a few moments later. "Please do not buy zETH and UZD at the moment, their emission has been attacked."
The price of both the Zunami USD stablecoin (UZD) and Zunami Ether (zETH) fell precipitously as a result of the hack, with the former collapsing entirely—more than 99%—and the latter plummeting over 88% to $206.
Zunami USD Price Chart (UZD) via CoinGecko.
The funds have already been washed through controversial coin mixer Tornado Cash, the firm reported.
Curve Finance has struggled with multiple attacks in recent weeks, and is still attempting to recover about $19 million stolen by a hacker—and put out a $1.8 million bounty for information leading to the identity of the perpetrator.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Digital assets may be firmly in the mainstream, with institutional involvement and a crypto-friendly president in the White House.
But hackers and fraudsters are having a field day so far this year.
Crypto users have lost over $1.7 billion to these groups—already 14% more than 2024’s total losses of $1.49 billion, according to blockchain security firm Immunefi.
In the same period last year, losses totaled $420 million, the firm said.
The report comes amid ongoing concerns about the vulnerabil...
Libre, a regulated real-world asset platform, and the TON Foundation have launched a $500 million tokenized fund on The Open Network, aiming to bring Telegram’s $2.4 billion in corporate debt onto the blockchain for the first time.
Dubbed the Telegram Bond Fund, the product allows institutional and accredited investors to gain exposure to Telegram’s outstanding bonds directly through the TON blockchain, according to a statement shared with Decrypt.
The fund will also participate in future Telegr...
Solana decentralized exchange Raydium has deployed its native token launchpad, which is designed to rival the popular Pump.fun. This comes almost a month after Pump.fun deployed its own decentralized exchange, cutting ties with Raydium in the process.
LaunchLab by Raydium offers a more sophisticated token creation process, compared to Pump.fun’s simplistic approach. The new launchpad allows for deployers to toy with the token supply, how many tokens will be sold on the bonding curve, and how muc...