The Zunami Protocol has come under two attacks

Zunami Protocol
2 min readFeb 5, 2023


TL;DR. All user funds are safe now, and the vulnerabilities exploited by the attackers have been fixed. Losses are estimated at $260 thousand. The team is preparing a compensation plan.

On January 26, while transferring funds to the new XAI + FRAXBP pool, we were subjected to a MEV attack. During the exchange of 66,888 DAI, we received only 17,230 USDC due to a sandwich attack on a transaction in the mempool. In total, the attackers managed to steal approximately $49,658.

Transaction link:

As a result of this attack, the price of ZLP in the XAI pool decreased to $0.8213, while the price of ZLP in the MIM pool remained at $1.1252.

This opened a vulnerability where the user was able to run a flashloan attack and invest $4,000,000 in the protocol several times and get ZLP at a low price, then withdraw them at an inflated price. Links to the transactions:

The price of LP in the two pools has leveled off and there is no risk of a repeat scenario.

The team quickly responded to the attack and stopped all deposits and withdrawals within one hour.

What the team did to eliminate risk in the future:

  1. New contract for XAI strategy with amount control to eliminate MEV attacks;
  2. Deposits and withdrawals were suspended immediately to confirm the safety of user funds;
  3. Restrictions on direct deposits and withdrawals up to 100k thousand, which makes the attack uneconomical;
  4. Delegated deposits and withdrawals remain unlimited;
  5. Plan for compensating lost funds to users.

In total, the attackers stole $260k. The team is preparing a compensation plan. The plan will be presented in the coming days.