Zunami Protocol lost $2.16 million in a flash loan attack.

Summary

On August 13, 2023, Zunami Protocol, a prominent DeFi platform on Ethereum, was compromised through a sophisticated flash loan attack, resulting in a significant loss of 1,178 ETH, approximately valued at $2.16 million. Central to this exploit was a vulnerability within the platform’s contract that allowed for the manipulation of the UZD token’s balance. By leveraging a flash loan the attacker was able to artificially inflate the value of the UZD token. This manipulation enabled the withdrawal of an extensive sum of assets.

Attackers

The identity of the hackers who attacked Zunami is unknown.

Hacker Ethereum Wallet:

Losses

Zunami estimated the losses from the hack to be 1178 ETH( $2.16 million).

Timeline

  • August 13, 2023, 10:26:35 PM UTC: The first malicious transaction occurred and 26 ETH were stolen.
  • August 13, 2023, 11:12:59 PM UTC: The stolen assets were moved through various transactions and eventually sent to Tornado Cash.
  • August 14, 2023, 06:10 AM UTC: Zunami protocol announced a hack.
  • August 16, 2023, 02:01 AM UTC: Zunami published exploit Post-Mortem.
  • August 18, 2023: Immunebytes published a detailed analysis of the incident.

Security Failure Causes

  • Smart contract vulnerability: The Zunami Protocol hack stemmed from a vulnerability that allowed an attacker to artificially inflate asset values within the protocol. By manipulating market prices through flash loans, the attacker increased their balance of the protocol’s stable token, UZD, and exploited this inflated balance to withdraw funds significantly exceeding their initial deposit.