Zunami Protocol: Admin key compromise → withdrawStuckToken() drain of LP collateral
Zunami Protocol's fourth exploit in two years saw $500K in LP collateral drained in 7 minutes via a single withdrawStuckToken() call by someone holding the admin key — a protocol that never migrated to DAO control, had no GitHub activity for months, and whose CTO blamed Russian border police for the key compromise.
Summary #
Zunami Protocol suffered a Yield Aggregator / Stablecoin on 2025-05-14, resulting in a loss of approximately $500K.
What happened #
Zunami Protocol's fourth exploit in two years saw $500K in LP collateral drained in 7 minutes via a single withdrawStuckToken() call by someone holding the admin key — a protocol that never migrated to DAO control, had no GitHub activity for months, and whose CTO blamed Russian border police for the key compromise.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — withdrawStuckToken() admin privilege and centralized key management were operational/governance risk, not a code vulnerability in audit...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — withdrawStuckToken() admin privilege and centralized key management were operational/governance risk, not a code vulnerability in audit...]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — admin role grant is the proximate signal; 7-minute window between grant and drain]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — admin role grant is the proximate signal; 7-minute window between grant and drain]