Bunni DEX Suffers $8.4 Million Flash Loan and Rounding Error Exploit ∞ Security

The visual presents an abstract arrangement of metallic-blue and silver geometric blocks, forming a complex, interconnected structure. These precisely engineered components feature sharp edges and varying depths, with subtle blue light emanating from within the network

The image presents a detailed, close-up view of a sophisticated blue and dark grey mechanical apparatus. Centrally, a metallic cylinder prominently displays the Bitcoin symbol, surrounded by neatly coiled black wires and intricate structural elements

Briefing

In September 2025, the Bunni decentralized exchange (DEX), built on Uniswap v4, experienced an $8.4 million exploit. The incident, spanning both Ethereum and UniChain blockchains, stemmed from a critical rounding error within the protocol’s withdraw function, which allowed an attacker to manipulate liquidity pools. This vulnerability enabled the attacker to extract a disproportionate amount of tokens by burning less liquidity than intended, leading to significant financial losses across the affected pools.

A close-up view features a network of silver spheres connected by reflective rods, set against a blurred blue background with subtle textures. The foreground elements are sharply in focus, highlighting their metallic sheen and granular surfaces

Context

Prior to this incident, the decentralized finance (DeFi) landscape has consistently faced risks from unaudited or improperly tested smart contracts. Protocols leveraging complex liquidity mechanisms, such as those based on automated market makers (AMMs), are particularly susceptible to logic flaws that can be exploited through flash loans or price manipulation. The prevailing attack surface often includes subtle arithmetic errors or misconfigurations in core functions that, when combined with adversarial strategies, can lead to substantial capital drain.

The image features a central, textured white sphere encompassed by an array of vibrant blue crystalline structures, all set within an intricate, metallic hexagonal framework. This complex visual represents the core elements of a sophisticated blockchain ecosystem, where the central sphere could symbolize a foundational digital asset or a unique non-fungible token NFT residing within a distributed ledger

Analysis

The attack vector against Bunni involved a sophisticated combination of flash loans, carefully orchestrated token swaps, and a sandwich attack, all leveraging a critical rounding error in the protocol’s withdraw function. The attacker initiated the exploit by taking a flash loan, then performed multiple swaps to manipulate the spot price tick of liquidity pools, specifically the weETH/ETH pool on UniChain and the USDC/USDT pool on Ethereum. This manipulation, combined with the unintended behavior of the withdraw function (which rounded idle balances up instead of down), allowed the attacker to withdraw a larger quantity of tokens while burning a disproportionately smaller amount of liquidity. A subsequent sandwich attack further inflated the pool’s spot price, enabling the attacker to drain additional value and profit after repaying the initial flash loan.

A modern, transparent device with a silver metallic chassis is presented, revealing complex internal components. A circular cutout on its surface highlights an intricate mechanical movement, featuring visible gears and jewels

Parameters

Protocol Targeted ∞ Bunni (Uniswap v4-based DEX)
Vulnerability ∞ Rounding Error in withdraw function, exploited via Flash Loan and Price Manipulation
Financial Impact ∞ $8.4 Million
Affected Blockchains ∞ Ethereum, UniChain
Attack Type ∞ Flash Loan Attack, Liquidity Manipulation, Sandwich Attack

A sleek, silver-framed device features a large, faceted blue crystal on one side and an exposed mechanical watch movement on the other, resting on a light grey surface. The crystal sits above a stack of coins, while the watch mechanism is integrated into a dark, recessed panel

Outlook

This incident underscores the imperative for rigorous, comprehensive smart contract auditing and testing, particularly for protocols managing significant liquidity. Developers must account for edge cases and potential rounding discrepancies in financial calculations, as these can be weaponized by sophisticated attackers. Protocols with similar AMM designs should immediately review their withdrawal and liquidity management functions for analogous rounding errors or logical flaws. The event highlights a persistent systemic risk, necessitating enhanced pre-deployment security assessments to prevent future exploits and reinforce user trust in the DeFi ecosystem.

The Bunni exploit serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be catastrophically exploited, necessitating an unyielding commitment to formal verification and exhaustive security testing within the DeFi sector.

Signal Acquired from ∞ halborn.com