In August 2023, the Zunami Protocol was the victim of a hack with a price tag of approximately $2.1 million. The attackers exploited a price manipulation vulnerability in the protocol’s contracts to drain value from the project.
Inside the Attack
Price manipulation vulnerabilities exploit insecure calculations of the value of a token. These calculations are based on the current value of a pool, which can be manipulated via flashloan attacks.
The Zunami Protocol smart contract contained a calcTokenPrice function that determined the value of the project’s tokens by dividing the total holdings of its pool by the number of existing tokens. These types of calculations enable token value to be inflated either by increasing the value of the pool or decreasing the total number of tokens.
In this case, the attacker inflated the pool’s value by making a donation to the pool. After this occurred, the tokens that the attacker held would have a much greater perceived value. This allowed the attacker to drain the $2.1 million in tokens from the project’s pools.
Lessons Learned from the Attack
Price manipulation is a well-known attack vector, and the Zunami Protocol used a classic — but insecure — code pattern for calculating token value. A more secure approach is to avoid the use of internal token value calculations, using an oracle like Chainlink instead.
Business logic vulnerabilities like this can lead to significant losses for a protocol and its users. To learn more about how to avoid price manipulation attacks, get in touch with Halborn.