QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$260 000 USD
FEBRUARY 2023
GLOBAL
ZUNAMI PROTOCOL
DESCRIPTION OF EVENTS
Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.
The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.
The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.
Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.
After suffering a sandwich attack, the Zunami Protocol was left in a position of arbitrage, which was able to be exploited for additional profit.
The attack targeted a swap operation involving the conversion of 66,888 DAI to USDC via a decentralized exchange. This transaction was captured in the mempool before confirmation and manipulated through a classic sandwich attack — a strategy where an MEV bot places a transaction just before and after a victim’s swap to extract profit by manipulating token prices. Specifically, the attacker executed a front-running swap to skew the price curve against the victim, then allowed the victim’s transaction to execute at a worse rate, and finally executed a back-running swap to restore prices and pocket the arbitrage.
As a result, Zunami received only 17,230 USDC for 66,888 DAI — far below the expected rate (implying a massive slippage and effective loss of ~$49,658). This shows the attacker was able to exploit liquidity asymmetries or low depth in the DAI/USDC pair, likely via SushiSwap or a related AMM pool, by inflating USDC price through their front-running trade and offloading after Zunami's unfavorable execution.
The consequence extended beyond the direct loss. The artificially poor execution caused a distorted valuation of the Zunami LP token (ZLP) in the XAI + FRAXBP pool, dropping its price to $0.8213 while it remained at $1.1252 in the MIM pool. This mispricing opened the door for a second, more complex flashloan attack, where an attacker could buy ZLP cheaply in one pool and redeem it at the higher price in another — exploiting the price delta and lack of cross-pool price sync.
According to the Zunami Protocol team, "In total, the attackers stole $260k." This figure was also later included in an article published by Rekt News.
The Zunami team responded swiftly to the attack by halting all deposits and withdrawals within one hour to prevent further exploitation and ensure the safety of user funds. This immediate action helped contain the damage and allowed the team to assess the situation before resuming normal operations.
To mitigate future risks, the team implemented several key security measures. They deployed a new contract for the XAI strategy with built-in amount controls to defend against MEV-style attacks. Additionally, direct deposits and withdrawals were capped at 100,000, making large-scale attacks economically unfeasible, while delegated transactions (handled by trusted intermediaries) remain unrestricted.
Finally, the team is actively working on a compensation plan to reimburse users for the $260,000 lost across the two attacks. The plan is expected to be released in the coming days, reaffirming the team’s commitment to transparency and user protection.
Zunami published a plan to compensate users fully for their losses in this exploit.
The team reported to be preparing a compensation plan for the attack in a Medium article which they published entitled "The Zunami Protocol has come under two attacks" on February 5th, 2023.
Zunami Protocol continues to operate, and would suffer future exploits.
Rekt - Zunami Protocol - Rekt II (Jun 13)
The Zunami Protocol has come under two attacks - Zunami Protocol Medium (Jun 13)
First Arbitrage Swap Transaction - Etherscan (Jun 13)
Second Arbitrage Swap Transaction - Etherscan (Jun 13)
Third Arbitrage Swap Transaction - Etherscan (Jun 13)
Fourth Arbitrage Swap Transaction - Etherscan (Jun 13)
Fifth Arbitrage Swap Transaction - Etherscan (Jun 13)
Sixth Arbitrage Swap Transaction - Etherscan (Jun 13)
Seventh Arbitrage Swap Transaction - Etherscan (Jun 13)
Eighth Arbitrage Swap Transaction - Etherscan (Jun 13)
Ninth Arbitrage Swap Transaction - Etherscan (Jun 13)
Tenth Arbitrage Swap Transaction - Etherscan (Jun 13)
Eleventh Arbitrage Swap Transaction - Etherscan (Jun 13)
Twelfth Arbitrage Swap Transaction - Etherscan (Jun 13)
Thirteenth Arbitrage Swap Transaction - Etherscan (Jun 13)
Compensation Plan - Zunami Protocol Medium (Jun 13)
Spreadsheet For Compensation - Google Sheet (Jun 13)
Rekt HQ - "$500k vanished from @ZunamiProtocol in a May admin key exploit. Months of stagnant development & perfect timing may have paved the way. Team offered weak excuses, dismissed concerns, left users empty-handed. When emergency keys open doors, who's in control? Story in comments." - Twitter/X (Jun 13)
Zunami Protocol Homepage (Jun 11)
