On August 14, 2023, Beosin EagleEye detected a price manipulation attack on the Zunami Protocol, a protocol on the Ethereum blockchain. The attack resulted in a loss of 1152 ETH($2.1 million).
It is understood that the Zunami Protocol is a platform that distributes stablecoins to users. It can be seen as a decentralized yield aggregator, providing more beneficial solutions for stablecoin holders.
There is an interesting twist to this incident. A security company had previously warned about vulnerabilities, but the project team did not take these warnings seriously, displaying a nonchalant attitude. As a consequence, by the time the incident occurred, it was already too late.
Beosin security team promptly analyzed the security incident and reported the following findings:
Attack-related Information:
● Attack Transactions:
Tx1: 0x2aec4fdb2a09ad4269a410f2c770737626fb62c54e0fa8ac25e8582d4b690cca
Tx2: 0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb
● Attacker's Address:
0x5f4c21c9bb73c8b4a296cc256c0cde324db146df
● Attack Contract:
0xa21a2b59d80dc42d332f778cbb9ea127100e5d75
● Targeted Contract:
0xe47f1cd2a37c6fe69e3501ae45eca263c5a87b2b
Vulnerability Analysis:
The cause of this attack was the vulnerability in the contract where LP (Liquidity Provider) price calculation depended on the contract's own CRV balance and the exchange ratio of CRV in the wETH/CRV pool. The attacker manipulated the LP price by injecting CRV into the contract and manipulating the exchange ratio of the wETH/CRV pool.
Attack Process:
Taking transaction 0x2aec4... as an example:
Attack Preparation:
1. The hacker borrowed 6811 ETH using a balancer:Vault flash loan as attack funds.
2. They exchanged 300 ETH borrowed through a flash loan for 84 zETH, preparing for the subsequent increase in zETH value
Attack Phase:
1. They exchanged 11 ETH for 35293 CRV and transferred it to the sEthFraxEthCurveConvex contract, enabling the attacker to manipulate the CRV balance in the sEthFraxEthCurveConvex contract for later manipulation.
2. They repeatedly exchanged 406 ETH for CRV in the wETH/CRV pool, causing the price of CRV to increase by approximately 10 times.
3. The value calculation of zETH (LP) depended on the price of CRV tokens and the valuation of CRV to ETH calculations in the sEthFraxEthCurveConvex contract.
4. The attacker manipulated the CRV price and the CRV balance in the vulnerable contract, causing the final _assetPriceCached to increase.
5. Due to the increased _assetPriceCached, the value of 84 zETH increased to 221 zETH.
6. They exchanged the CRV obtained in step 4 back to ETH to repay the flash loan.
7. They exchanged the increased 221 zETH (LP) for 389 ETH.
8. They repaid the 6811 ETH flash loan and other fees, resulting in a profit of 26 ETH.
Funds Tracing:
As of the time of writing, the Beosin security analysis team found that the stolen funds had all been transferred to Tornado cash.
Summary:
In response to this incident, the Beosin security team recommends:
1. Similar projects should consider different token pool dependencies when calculating LP value.
2. Before the launch of a project, it's advisable to engage a professional security auditing company for comprehensive security audits to mitigate security risks.
Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team, and set up offices in 10+ cities including Hong Kong, Singapore, Tokyo and Miami. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts including famous Web3 projects PancakeSwap, Uniswap, DAI, OKSwap and all of them are monitored by Beosin EagleEye. The KYT AML are serving 100+ institutions including Binance.
Contact
If you need any blockchain security services, welcome to contact us:
All Comments