defirisk.co
rubric v1.7.0

Zunami Protocol: Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain

Zunami Protocol lost $2.1M when an attacker used flash loans to create SDT pool slippage, exploiting a totalHoldings() price calculation flaw to drain zETH and UZD Curve pools — causing 85% and 99% depegs of Zunami's own stablecoins.

Occurred 2023-08-13 Loss $2M Status closed

Summary #

Zunami Protocol suffered a Yield Aggregator / Stablecoin AMM (Curve-based) on 2023-08-13, resulting in a loss of approximately $2M.

What happened #

Zunami Protocol lost $2.1M when an attacker used flash loans to create SDT pool slippage, exploiting a totalHoldings() price calculation flaw to drain zETH and UZD Curve pools — causing 85% and 99% depegs of Zunami's own stablecoins.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — MimCurveStakeDAO strategy added after audit; totalHoldings() price manipulation not in reviewed scope] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — MimCurveStakeDAO strategy added after audit; totalHoldings() price manipulation not in reviewed scope]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit strategy addition)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MimCurveStakeDAO strategy was added after the primary audit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MimCurveStakeDAO strategy was added after the primary audit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — zStable LP prices distorted via totalHoldings() manipulation; 85% and 99% depeg visible]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MimCurveStakeDAO strategy was added after the primary audit]