On August 13, 2023, Zunami Protocol — a decentralized finance platform built on Ethereum — suffered a devastating flash loan attack that siphoned approximately $2.16 million from its vaults. The post-mortem, published on August 31, 2023, revealed a subtle but catastrophic vulnerability in the protocol’s price caching mechanism, one that escaped multiple professional audits. With Bitcoin trading around $25,931 and Ethereum at $1,645 at the time, the exploit sent ripples through the DeFi community already on edge from a summer of high-profile breaches.
The Exploit Mechanics
The attack exploited two separate but related vulnerabilities in Zunami’s price caching system. The first target was Zunami ETH (zETH), where the attacker drained 26 WETH. The second, far more damaging strike targeted Zunami Stable (UZD), extracting a staggering 1,178 WETH. Both attacks hinged on the same fundamental flaw: the protocol cached inflated LP token prices for the duration of an entire block, creating a window exploitable through flash loans.
The root cause traced back to the MIMCurveStakeDAO strategy, introduced in a protocol update. This strategy calculated LP prices using the balance and price of SDT tokens held within the strategy contract. An attacker could manipulate this calculation by donating SDT tokens to the strategy, artificially inflating the cached price. Because the inflated price persisted for the entire block, the attacker could execute a series of reverse operations — borrowing via flash loan, manipulating the price, extracting value at the inflated rate, and repaying the loan — all within a single transaction.
Affected Systems
The vulnerability specifically affected the ElasticERC20 implementation in Zunami Stable v1.1. Price caching was partially implemented in v1.0 and audited by Ackee Blockchain. However, in v1.1, the caching was extended to critical functions including totalSupply, balanceOf, and allowance. This expansion meant that other contracts calling balanceOf would receive the manipulated cached price — a design decision that introduced the attack vector.
Crucially, the v1.1 update was launched without any audit. It was only later, for the v1.2 launch, that HashEx conducted an audit on October 29, 2023 — but even that review failed to identify the cached function attack vector. The MIMCurveStakeDAO strategy itself had been audited by HashEx prior to launch, yet the exploit possibility slipped through.
The Mitigation Strategy
Following the exploit, the Zunami team took several corrective actions. The vulnerable MIMCurveStakeDAO strategy was disabled, and the protocol paused deposits while a thorough review was conducted. The post-mortem analysis, contributed to by Ackee Blockchain, identified the specific code paths that enabled the attack.
Key mitigations implemented included removing global price caching from view functions that could be called by external contracts, implementing real-time price calculations for critical operations, and establishing a requirement for comprehensive audits before any strategy contract modifications. The protocol also moved toward multi-auditor reviews, recognizing that no single audit firm catches every vulnerability.
Lessons Learned
The Zunami exploit carries several critical lessons for the DeFi ecosystem. First, no code change is too small for an audit. The v1.1 update that extended price caching may have seemed incremental, but it fundamentally changed the attack surface. Second, price oracles and caching mechanisms demand extreme scrutiny. Any system that allows price data to be influenced by user actions within the same transaction creates flash loan attack vectors. Third, audits are necessary but not sufficient. The fact that both Ackee Blockchain and HashEx missed this vulnerability demonstrates that even professional audits have blind spots.
For DeFi users, the incident reinforces the importance of monitoring which protocol versions are actively deployed and whether recent updates have been audited. Protocols that ship unaudited updates to core financial logic represent elevated risk, regardless of their track record.
User Action Required
Users who had funds in Zunami Protocol vaults at the time of the August 13 exploit should verify whether they were affected. Check transaction histories for any unexpected withdrawals from zETH or UZD pools. For ongoing DeFi participation, always verify that the protocol version you are interacting with has been audited, and consider diversifying across multiple protocols to limit exposure to single-point failures. With the crypto market showing Bitcoin at approximately $25,931 and Ethereum around $1,645, the broader market context suggests cautious optimism — but protocol-level risks remain ever-present.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before interacting with any DeFi protocol.
caching LP prices for an entire block is like leaving your front door open and being surprised when someone walks in
the MIMCurveStakeDAO strategy was the root cause? so basically one unaudited strategy update compromised the entire vault system. how does that pass governance
cached prices for an entire block is such an obvious vector. surprised it survived multiple audits honestly
audits are theater sometimes. the auditor checks the code you show them, not the code you deploy after the audit
cached LP prices for a full block is just asking to get exploited. any attacker with flash loan access can manipulate that window
1,178 WETH from UZD alone. the zETH drain of 26 WETH was probably just a test run before the main attack
26 WETH test run then 1178 WETH main hit. classic two stage exploit pattern, the first one was basically the attacker verifying the path worked
26 WETH was definitely a probe. the real question is why the protocol didnt pause after the first hit
hazel_nut the protocol not pausing after the 26 WETH probe is the real failure. that was a free warning shot and they ignored it
an unaudited strategy update passing governance is a governance failure. who approved that without a security review