Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The Zunami Protocol on Ethereum suffered a price manipulation attack and lost 1,179 ETH (approximately $2.2 million). The reason for the incident is that the calculation of LP price in the vulnerable contract depends on the CRV balance of the contract itself and the conversion ratio of CRV in the wETH/CRV pool. The attacker manipulated the LP price by transferring CRV to the contract and manipulating the conversion ratio of the wETH/CRV pool. According to MistTrack analysis, ETH has been transferred to Tornado Cash at present. Attack method (per SlowMist): Price Manipulation. Reported loss: $ 2,200,000.
- chain
- ethereum
- protocol
- Zunami Protocol
- bug_class
- oracle
- date_occurred
- 2023-08-14
- loss_usd
- $2,200,000
- source_id
- sm:zunami-protocol::2023-08-14