CoinClear

Zunami Protocol

2.3/10

Yield aggregator with UZD stablecoin — suffered $2.1M exploit via Curve pool manipulation, trust destroyed, minimal remaining adoption.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

Zunami Protocol was a yield aggregation platform that aimed to simplify DeFi yield farming through auto-compounding strategies built primarily on Curve Finance LP positions. The protocol's flagship product was UZD — a stablecoin backed by Curve LP positions that was designed to generate yield for holders through the underlying Curve farming rewards.

The protocol operated by pooling user deposits, deploying them into optimized Curve strategies, auto-compounding rewards, and socializing gas costs across depositors. The UZD stablecoin was minted against these LP positions, effectively creating a yield-bearing stablecoin that appreciated through Curve farming rewards.

In August 2023, Zunami suffered a price manipulation exploit that drained approximately $2.1 million from its Curve pools. The attacker manipulated the price oracle in Zunami's Curve pool through flash loans, exploiting the relationship between the pool's price calculation and Zunami's accounting. This exploit exposed fundamental security weaknesses in the protocol's design.

Post-exploit, the protocol's adoption collapsed. TVL dropped to near zero, UZD depegged, and user trust was irreparably damaged. The protocol has attempted recovery but has not regained meaningful adoption.

Smart Contracts

Zunami's smart contracts managed multi-strategy yield aggregation with Curve-centric deployment. The contracts handled deposit pooling, Curve LP minting, CRV/CVX reward harvesting, auto-compounding, and UZD stablecoin minting. The architecture was heavily integrated with Curve Finance infrastructure.

The exploit revealed critical smart contract weaknesses — specifically, the reliance on manipulable on-chain price data for accounting decisions. The contracts did not implement adequate price manipulation protections (TWAP oracles, manipulation-resistant pricing) for the critical operations that determined UZD backing values.

The multi-strategy design, while functionally useful, created complex contract interactions that made comprehensive security analysis difficult. The composability with Curve introduced dependency on Curve pool states that could be manipulated by well-funded attackers.

Security

The August 2023 exploit is the defining security event. The attacker used flash loans to manipulate Curve pool prices, causing Zunami's contracts to miscalculate the value of underlying assets. This allowed the attacker to extract approximately $2.1 million. The attack vector — price manipulation through flash loans — is well-known in DeFi, and the fact that Zunami's contracts were vulnerable to it indicates insufficient security engineering.

The protocol reportedly had audits, but the exploit vector was not caught. This highlights the limitations of point-in-time audits for protocols with complex DeFi composability — the interaction between Zunami's accounting, Curve pool pricing, and flash loan availability created an attack surface that may not be apparent from reviewing any single contract in isolation.

Post-exploit security improvements were proposed, but the fundamental trust damage from a successful exploit is difficult to recover from, especially for a protocol that holds user deposits in yield strategies.

Yield Generation

Zunami's yield strategies centered on Curve Finance LP farming — deploying assets into Curve pools, staking LP tokens for CRV and CVX rewards, and auto-compounding the rewards. This approach was sound in concept: Curve pools offer relatively stable yields through trading fees and CRV emissions, and auto-compounding improves returns by reinvesting rewards automatically.

The UZD stablecoin added a layer of yield abstraction — holders of UZD would see its backing value increase as the underlying Curve strategies generated yield. This was similar to rebasing stablecoins but with LP-position backing rather than simple staking.

Post-exploit, yield generation is largely irrelevant — the protocol has insufficient TVL to operate meaningful strategies, and the UZD stablecoin has lost its peg and utility.

Adoption

Pre-exploit adoption was modest but growing. Zunami had attracted millions in TVL, primarily from yield-seeking DeFi users who valued the gas-socialization and auto-compounding features. UZD found some integration in Curve and related DeFi protocols.

Post-exploit, adoption collapsed. Users withdrew remaining funds, UZD liquidity evaporated, and the protocol's reputation was severely damaged. The DeFi community's response to exploits is harsh — protocols that lose user funds face an extremely difficult path to rebuilding trust, especially when alternative yield aggregators (Yearn, Convex) offer similar functionality with longer security track records.

Tokenomics

The ZUN token was designed for governance and incentive distribution. Post-exploit, the token's value has declined dramatically. With minimal TVL, the protocol generates negligible fee revenue, making any token value accrual theoretical rather than practical.

The tokenomics were never particularly strong — ZUN was primarily a governance and liquidity incentive token without meaningful revenue sharing or buyback mechanisms. The exploit destroyed any remaining token demand thesis.

Risk Factors

  • Exploit history: The $2.1M exploit fundamentally damaged protocol trust
  • Price manipulation vulnerability: Demonstrated susceptibility to flash loan attacks
  • Near-zero TVL: Insufficient deposits for meaningful yield generation
  • Reputational damage: Exploit history makes user acquisition extremely difficult
  • Competitive landscape: Yearn, Convex, and other aggregators offer similar functionality without exploit history
  • UZD depeg: The stablecoin has lost its peg and utility

Conclusion

Zunami Protocol illustrates the risks of building yield products on complex DeFi composability without sufficient security infrastructure. The concept was sound — auto-compounding Curve yields with gas socialization and a yield-bearing stablecoin. The execution was fatally flawed — the price manipulation vulnerability that enabled the $2.1M exploit should have been caught in design review and audit.

The 2.3 score reflects a protocol that has effectively failed. The exploit destroyed trust, adoption, and token value. While the underlying yield concept was valid, the security failure was catastrophic and the protocol's chances of meaningful recovery are slim. Zunami serves as a cautionary tale about the importance of robust oracle design and manipulation resistance in DeFi composability.

Sources