The Zunami Protocol has come under two attacks
TL;DR. All user funds are safe now, and the vulnerabilities exploited by the attackers have been fixed. Losses are estimated at $260 thousand. The team is preparing a compensation plan.
On January 26, while transferring funds to the new XAI + FRAXBP pool, we were subjected to a MEV attack. During the exchange of 66,888 DAI, we received only 17,230 USDC due to a sandwich attack on a transaction in the mempool. In total, the attackers managed to steal approximately $49,658.
Transaction link: https://etherscan.io/tx/0xd1f23b15d7b6f6cf12455bb5729a367f0726f67b9bac9adb37e2b96a64c3c732
As a result of this attack, the price of ZLP in the XAI pool decreased to $0.8213, while the price of ZLP in the MIM pool remained at $1.1252.
This opened a vulnerability where the user was able to run a flashloan attack and invest $4,000,000 in the protocol several times and get ZLP at a low price, then withdraw them at an inflated price. Links to the transactions:
https://etherscan.io/tx/0x9fe927823f58ddaeb18f40c665108941192881fe3daff86db6328c9cb723bc91
https://etherscan.io/tx/0xc6ad352f7c6a5494669479d66f10730423f56e8a78d8dc11860c7bec7703f3c0
https://etherscan.io/tx/0xff7188719dc4f757b5d55e96644c733b48f79b74d7a3302e3313607577dd1e3c
https://etherscan.io/tx/0x54b9779c50dc05ec7b5b184bfecd47962c89332ead00d31d830b995b3a75089b
https://etherscan.io/tx/0x08167233162667f4b6803ac12607f57de48bcd502095ad90434f1a16e9f4b894
https://etherscan.io/tx/0xcc514c5dd367c6fd298148cb0c56dab499d4fd7dcc94b28ed2f0952cc15ec343
https://etherscan.io/tx/0x600b06f4cfaac69525998afb71a63f167d598c923e0b2f9932c86a863cc50611
https://etherscan.io/tx/0x0053946288abc81fc15eebf7517de7e05846e054f7aa8e69b9834cdbd2773518
https://etherscan.io/tx/0xbd3311c0dbd6049ff99a7bcd9f570c66a4ed176ed272e589cd85702dd2f493b0
https://etherscan.io/tx/0xe6eff1573606e80396b21f011510ac5c5415c45775b9af67a744b164f186f446
https://etherscan.io/tx/0x8e4ba72e5a7a152b22c778652d3b4062333e16acc1a30edcad1689bd193fbe96
https://etherscan.io/tx/0xf28c50293342dcaba5be567ace113ec1ed40f940bea8a97a1cf253361c2bf062
https://etherscan.io/tx/0x59b92c023d0e7c0749b92a1252fb7fdc23061da2a8d853a406587f8173a33183
The price of LP in the two pools has leveled off and there is no risk of a repeat scenario.
The team quickly responded to the attack and stopped all deposits and withdrawals within one hour.
What the team did to eliminate risk in the future:
- New contract for XAI strategy with amount control to eliminate MEV attacks;
- Deposits and withdrawals were suspended immediately to confirm the safety of user funds;
- Restrictions on direct deposits and withdrawals up to 100k thousand, which makes the attack uneconomical;
- Delegated deposits and withdrawals remain unlimited;
- Plan for compensating lost funds to users.
In total, the attackers stole $260k. The team is preparing a compensation plan. The plan will be presented in the coming days.