August 14, 2023: Departed Too Zun 🛬💥
Price manipulation attack drains $2.1MM from Zunami Protocol
What was supposed to be a celebration of Curve’s third birthday turned tragic for our frens at Zunami Protocol.
The trouble began at around 3:27 PM PT. Peckshield announced the hack by 3:45, and Zunami quickly posted an initial assessment by 4:10 PM PT.
There was initial panic that this may be a repeat of the Vyper exploit, but it quickly was revealed to be the cause of price manipulation.
To understand a bit more about price manipulation attacks, here is a short explainer from Officer’s Notes:
Sadly, the protocol had undergone three audits, and even sadder for meme makers, none of them came from Peckshield.
We’d guess the auditors just audited the protocol, not the Curve integrations? We’re guessin this because the hack didn’t hit the underlying zStables, just the liquidity pool.
It’s just idle speculation on our part, we’ll have to wait for official postmortem analyses to find out.
Another troubling fact we’d want to see some clarity on is the report that the team had knowledge of the risk vector as of two months back.
It’s particularly sad because recently the protocol had been building some interesting technology to participate in the Curve Wars. They’d benefited indirectly from the unrelated hack on Conic just a month prior, as both protocols had been pushing the concept of omnipools. With Conic Finance paused, Zunami had been benefiting from LPs interested in single-sided staking, particularly where it intersected with the $crvUSD boom.
With omnipool protocols batting zero for two over the past few months, it may put a damper on the concept of single-sided staking. The idea that LPs could deposit using a single coin to maximize yields and avoid losses had always been cursed.
In the case of both Conic and Zunami, neither actually suffered due to a conceptual flaw with single-sided staking. Both protocols were felled due to bugs in implementation, not necessarily an issue fundamental to omnipools. All the same, it may serve to frighten off users from the consistently unlucky concept.
Or, perhaps users will more generally sour to the concept of serving as LP.
To be honest, we’re getting devastated continuing to write these reports. We’re here for the innovation and tech, but these bugs carry such severe consequences. Always “thoughts and prayers…”
We can’t expect innocent young exit liquidity to willingly step onto our slaughterfield while our industry remains such a gory bloodbath.
At the moment living in DeFi is enduring the subtle gradual downward effects of liquidity flowing offchain, punctuated by the rapid effects of hackers stealing whatever’s left. The starving vultures have fewer and fewer scraps to pick over.
That’s right, if you happened to remember ETHPOW existed you could have pocketed five figures replaying the alETH Vyper exploit… that’s where we are now as an industry…
It was supposed to be a birthday celebration, but with Curve LPs continually taking it on the chin, it doesn’t feel terribly festive.
Days like this, I have to remind myself of the fateful history of trying to construct a flying machine. Many of the builders’ of the prior century had a pay the ultimate price to prove aviation was even possible. Their risky tests in prod led the way to aviation as we know it today, which is generally considered safe.
Otto Lilienthal: the German inventor known as “The Flying Man” who made repeated glider flights, until dying of a broken neck suffered in a crash.
Franz Reichelt: A French tailor who designed an overcoat to double as a parachute, died while jumping from the Eiffel Tower to test his device.
Daniel Maloney: Killed jettisoning a glider from a high altitude hot air balloon.
Sir George Cayley: The English engineer suffered the tragic loss of an employee he forced to test his glider. The coachman was so terrified by a near fatal crash he tendered his resignation: “I was hired to drive, not to fly”
Thomas Selfridge: First airplane fatality. He was killed on a voyage piloted by Orville Wright of the eponymous brothers, who managed to survive.
Nowadays, we can transport ourselves halfway across the world and it’s an uneventful, pleasant experience.
Unless you make the mistake of flying Delta.