header-langage
简体中文
繁體中文
English
Tiếng Việt
Scan to Download the APP

"Failure to listen" led to losses of over 2 million US dollars, a brief analysis of the reason why Zunami Protocol was attacked

23-08-15 11:25
Read this article in 9 Minutes
总结 AI summary
View the summary 收起
Original title: "The Cost of Being "Willful"? Zunami Protocol Attacked for Price Manipulation, Losing Over $2.1 Million"
Original source: Beosin


On August 14, 2023, Beosin EagleEye security risk monitoring, warning and blocking platform detected that Zunami Protocol on the Ethereum blockchain was subjected to price manipulation attacks, resulting in a loss of 1152 ETH, worth 2.1 million US dollars.


According to reports, Zunami Protocol is a platform that distributes stablecoins to users. It can be understood as a decentralized income aggregator, creating more beneficial solutions for stablecoin holders.


There is a small episode about this incident. Previously, a security company had kindly warned about the vulnerability, but the project party did not take it seriously and acted recklessly. As a result, it was too late when this incident occurred.



Beosin Security Team analyzed the incident for the first time, and the results are as follows:


Event Related Information


●Attack transaction Tx1:0x2aec4fdb2a09ad4269a410f2c770737626fb62c54e0fa8ac25e8582d4b690cca Tx2:0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb


● Attacker address 0x5f4c21c9bb73c8b4a296cc256c0cde324db146df


● Attack contract 0xa21a2b59d80dc42d332f778cbb9ea127100e5d75


● Attacked contract 0xe47f1cd2a37c6fe69e3501ae45eca263c5a87b2b


Vulnerability Analysis


The reason for this attack is that the LP price calculation in the vulnerable contract depends on the contract's own CRV balance and the exchange rate of CRV in the wETH/CRV pool. The attacker manipulated the exchange rate of the wETH/CRV pool by depositing CRV into the contract, thereby manipulating the LP price.


Attack Process


Let's take the transaction of 0x2aec4... as an example:


Attack Preparation:


1. The hacker first borrowed 6811 ETH as attack funds through balancer:Vault flash loan.  



2. Use 300ETH with Lightning Loan to exchange for 84 zETH, preparing for the appreciation of zETH in the future.



Attack Phase:


1. Use 11 ETH to exchange for 35293 CRV and transfer it to the sEthFraxEthCurveConvex contract. The attacker manipulates the CRV balance in the sEthFraxEthCurveConvex contract to prepare for subsequent attacks.


 


2. Then use 406 ETH to repeatedly exchange for CRV in the wETH/CRV pool, causing the price of CRV to increase by about 10 times.



 3. Due to the valuation calculation of zETH (LP) being determined by two factors, the price of the CRV token and the estimation of CRV and ETH calculated in the sEthFraxEthCurveConvex contract, the value of zETH (LP) can fluctuate.


4. The attacker manipulated the price of CRV and the CRV balance of the vulnerable contract through the above steps, resulting in an increase in the final _assetPriceCached.






5. Due to the increase of _assetPriceCached used in calculating the balanceOf of zETH (LP), the value of 84zETH has appreciated to 221 zETH. 





6. Use the CRV obtained in step 4 to exchange back to ETH and repay the flash loan. 



7. Convert the value-added 221 zETH (LP) to 389 ETH.  



 


8. Return 6811 ETH flash loan and other fees, with a final profit of 26 ETH.









欢迎加入律动 BlockBeats 官方社群:

Telegram 订阅群:https://t.me/theblockbeats

Telegram 交流群:https://t.me/BlockBeats_App

Twitter 官方账号:https://twitter.com/BlockBeatsAsia

This platform has fully integrated the Farcaster protocol. If you have a Farcaster account, you canLogin to comment
Choose Library
Add Library
Cancel
Finish
Add Library
Visible to myself only
Public
Save
Correction/Report
Submit