Zunami Protocol, a yield aggregation protocol for stablecoin staking, confirmed a hack on its liquidity pool on Curve Finance.
Please do not buy zETH and UZD at the moment, their emission has been attacked.
— Zunami Protocol (@ZunamiProtocol) August 14, 2023
The protocol promised a yield of around 14% on stablecoins, boasting the “highest APY on the market” with $5 million in Total Value Locked, according to its website.
Blockchain security firm PeckShield found that $2.1 million was lost in the exploit, which was caused by a price manipulation issue that allowed the attacker to take a flash loan from the balancer and add liquidity to significantly change the price on Zunami.
Here comes the flow of stolen funds, which have been washed via @TornadoCash pic.twitter.com/SHSajq4fBO
— PeckShieldAlert (@PeckShieldAlert) August 14, 2023
PeckShield also found that the stolen funds had been sent to Tornado Cash, meaning the exploiter is likely on the path to cashing out his or her proceeds from the attack.
Following the exploit, the price of the Zunami USD stablecoin (UZD) and Zunami Ether (zETH) plummeted sharply. UZD lost its peg to the U.S. dollar and dropped 99% to near $0, while zETH fell by 89% to a low of $206.
The Zunami stablecoin’s depeg comes despite the protocol’s claims that it would be resilient to such an issue in the risk assessment documentation on its website.
“The protocol uses a novel overcollateralization mechanism, where RSR stakers are the first loss capital in the case of failing collateral. The mechanism was battle tested during the run on Silicon Valley Bank on March 9th,” read Zunami’s documentation.