< Back to articles

Zunami hack post-mortem: what happened?

Education, Ethereum, Exploits, Hacks August 31, 2023

Note: Ackee audited an earlier version of the protocol before the attacked MimCurveStakeDAO strategy was added.

Exploit cause

The exploit consisted of two hacks, both of which involved price caching vulnerability The first target was Zunami ETH (zETH) and the second was Zunami Stable (UZD). The first attack drained only 26 WETH, unlike the second one with whopping 1178 WETH.

The root cause was the price manipulation using the MIMCurveStakeDao strategy then caching the inflated price for the whole block (suitable for flash loans) for UZD and then performing previous operations in reverse order to take profit of the inflated price.

Price caching

The caching of the liquidity pool (LP) price in UZD was partially implemented in the 1.0 version that was audited by Ackee Blockchain. However, it wasn’t used globally and functions like balanceOf were doing multiple costly calls (LP price calculation from strategies) instead of caching.

The caching was extended to functions such as totalSupply, balanceOf and allowance later in the UZD version 1.1. The caching was adjusted in the following way:

Source 

This allowed calling an inflated price from other contracts with the balanceOf function.

The version 1.1 was launched without any audit. It was later audited by HashEx in October 29, 2023, for the v1.2 launch, but according to the audit report, the attack vector using the cashed functions was not discovered.

MIMCurveStakeDao strategy

The strategy was introduced in commit 6df0ae5. The attacker could change LP price calculation by donating SDT tokens to the strategy since the calculation was dependent on its price and balance in the strategy. This strategy was audited prior to the launch by HashEx (check out this audit report) but the exploit possibility was not discovered.

The Attack

The attack happened on August 13 and can be viewed here: https://explorer.phalcon.xyz/tx/eth/0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb

Or you can check the PoC of the attack (good work DeFiHackLabs!). 

We hope this post-mortem analysis was helpful and may contribute to making web3 a safer space without hacks and exploits. 

You May Also Like

Audits, Ethereum, Solidity, Wake December 18, 2023
IPOR: Protocol Core audit summary
Audits, Ethereum, Solidity, Wake December 15, 2023
Сow Protocol: ComposableCoW & ExtensibleFallbackHandler audit summary
Education, Ethereum, Solidity, Tutorial, Wake December 7, 2023
On the wave of CI/CD for Web3