How Attackers Manipulated SushiSwap Oracle Prices to Drain DeFi Yield Vaults in August 2023

The decentralized finance ecosystem faced yet another sophisticated exploit on August 13, 2023, when an attacker drained approximately $2.16 million from Zunami Protocol through a carefully orchestrated flash loan attack targeting oracle price feeds on SushiSwap. The incident underscores the persistent vulnerabilities in DeFi protocols that rely on decentralized exchange pricing for asset valuation.

The Exploit Mechanics

The attacker initiated the operation by withdrawing 10 ETH from Tornado Cash to fund the deployment of a malicious smart contract. What followed was a multi-step manipulation of price feeds across several decentralized exchanges. The attacker executed two flash loans simultaneously: borrowing 7 million USDT from Uniswap V3 and another 7 million USDC alongside 10,011 WETH, valued at roughly $18.4 million, from Balancer. These borrowed funds totaled approximately $32.4 million and served as the capital for the price manipulation scheme.

With the flash loan proceeds, the attacker performed a series of strategic token swaps. First, 5.75 million USDC was converted to crvFRAX on Curve, then swapped for 4.08 million UZD in one of Zunami’s liquidity pools. Separately, 1.25 million USDC was exchanged for crvUSD and then swapped for 791,280 UZD in a second pool. Crucially, the attacker also converted 11 WETH into 55,981 SDT, StakeDAO tokens, and transferred them directly into Zunami’s strategy contract.

The critical manipulation occurred when the attacker swapped 10,000 WETH for 58,042 SDT on the SDT-WETH pair on SushiSwap, while simultaneously converting 7 million USDT into 2,154 WETH on the USDT-WETH pair. These massive swaps artificially inflated the price of SDT on SushiSwap, which Zunami’s pricing oracle relied upon to calculate asset values.

Affected Systems

Zunami Protocol, a DeFi yield aggregator operating on Ethereum, bore the direct impact. The protocol’s stablecoin UZD and its Ethereum-backed token zETH were both affected. The attacker exploited the way UZD balances are calculated using the formula: Balance multiplied by assetPriceCached divided by a decimal factor. By calling the cacheAssetPrice() function after manipulating the SDT price, the attacker inflated their UZD balance from 4.87 million to approximately 16.9 million UZD, more than tripling their holdings through artificial price inflation.

The exploit also rippled through interconnected DeFi infrastructure. Curve Finance pools, Balancer vaults, and SushiSwap liquidity pairs were all used as vectors in the attack. At the time of the exploit, Bitcoin traded around $29,282 and Ethereum at $1,839, meaning the total DeFi market capitalization stood at approximately $45 billion, with total value locked across all protocols reaching $41.94 billion.

The Mitigation Strategy

Following the exploit, Zunami Protocol’s team published a post-mortem confirming that the attack targeted the price manipulation vulnerability in their oracle integration. The stolen 1,178 ETH, worth approximately $2.16 million at the time, was routed through Tornado Cash, making recovery virtually impossible. The protocol’s response included pausing affected pools and announcing plans to implement more robust oracle price feeds that incorporate time-weighted average prices rather than relying on instantaneous spot prices from a single decentralized exchange.

Security firms including PeckShield, CertiK, and Ironblocks all flagged the incident within hours. CertiK classified it as the tenth largest flash loan attack detected in 2023. The broader DeFi community noted that August 2023 saw four flash loan attacks with combined losses of $3.8 million, making it the month with the lowest volume of such attacks that year.

Lessons Learned

The Zunami Protocol exploit highlights several critical vulnerabilities that persist across the DeFi landscape. First, protocols that rely on single-source oracle pricing remain fundamentally exposed to manipulation through flash loans. The attacker demonstrated that with sufficient borrowed capital, even relatively small liquidity pairs can be weaponized to distort protocol-level accounting. Second, the cacheAssetPrice() function created a single point of failure that the attacker could trigger at the optimal moment, after price manipulation and before arbitrageurs corrected the market. Third, the incident reinforces that DeFi protocols must adopt time-weighted average price oracles, multi-source price aggregation, and circuit breakers that detect sudden price deviations before executing critical operations.

User Action Required

For users who interact with yield aggregation protocols, this exploit serves as a reminder to assess the oracle infrastructure of any platform before depositing funds. Users should prioritize protocols that employ Chainlink or similar decentralized oracle networks over those relying on single DEX price feeds. Additionally, monitoring protocol governance forums and security channels for post-mortem reports can provide early warning of systemic vulnerabilities. At current market levels, with Bitcoin hovering around $29,282 and Ethereum at $1,839, the total value locked in DeFi protocols makes every smart contract vulnerability a potentially catastrophic event for individual depositors.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.