Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 153Flash Loan Attack

Zunami Protocol Curve Price Manipulation

$2.1M drained from Zunami Protocol after its zETH and UZD stablecoin prices, derived from manipulable Curve pools, were inflated by a flash-loan attacker.

Date
Victim
Zunami Protocol
Chain(s)
Ethereum
Status
Funds Stolen

On August 13, 2023, Zunami Protocol lost approximately $2.1 million when an attacker manipulated the Curve-pool-derived prices for its zETH and UZD stablecoins. A flash loan inflated the pool prices, the attacker minted/extracted at the manipulated rate, and both tokens depegged 90%+.

What happened

Zunami's UZD (a USD-pegged stablecoin) and zETH derived their prices from Curve liquidity pools — pools whose spot price a sufficiently-capitalised actor can move within a single transaction, and which a flash loan funds for free.

The attack followed the canonical flash-loan oracle pattern:

  1. Flash-borrowed capital.
  2. Skewed the relevant Curve pools (zETH and UZD pairs), pushing the protocol's price reads far from true value.
  3. Minted / extracted against the manipulated prices — acquiring far more value than the real collateral justified.
  4. Reversed the manipulation, repaid the flash loan, and walked with ~$2.1M.
  5. Both UZD and zETH depegged 90%+ as the unbacked supply and broken price assumptions hit the market.

Aftermath

  • Zunami paused the affected contracts and warned users the stablecoins could not hold their pegs.
  • The protocol's standing was effectively destroyed by the depeg.
  • Funds were laundered through Tornado Cash.

Why it matters

Zunami is yet another entry in the stablecoin-priced-from-a-manipulable-Curve-pool lineage — structurally identical to the Yearn yDAI (2021), BonqDAO (2023), and dozens of other incidents where the protocol's price feed was a pool the attacker could move.

The repetition is the entire point of cataloguing these small incidents. Individually, Zunami's $2.1M is unremarkable. Collectively, the pattern — "DeFi protocol prices a critical asset from a Curve/AMM pool spot rate; flash-loan attacker moves the pool; protocol drained; stablecoin depegs" — appears so many times across the catalogue, across so many years and chains, that it constitutes the single most-repeated failure mode in DeFi history.

The defensive answer has been documented and freely available since the bZx flash-loan attacks of February 2020: never derive a critical price from a pool's instantaneous spot rate; use time-weighted oracles, external feeds, multi-source medians, and deviation guards. Zunami in August 2023 — three and a half years after bZx — shipped a stablecoin priced from manipulable Curve pools anyway. The catalogue's quiet thesis is exactly this: the knowledge exists, is free, and is repeatedly not applied, and the cumulative cost of that gap is measured in billions.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-zunami-protocol-hack-august-2023
  2. [02]decrypt.cohttps://decrypt.co/152366/zunami-protocol-curve-finance-hack
  3. [03]cryptopotato.comhttps://cryptopotato.com/zunami-protocol-exploited-for-over-2-million-native-stablecoin-uzd-plunges-99/

Related filings