Bunni DEX Suffers $8.4 Million Flash Loan and Rounding Error Exploit → Security

A high-angle view reveals a complex, clean, white and metallic modular system featuring parallel tracks and interconnected processing units. These intricate components are illuminated with subtle blue undertones, emphasizing precision and advanced engineering

A striking metallic X-shaped structure, characterized by its dark internal components and polished silver edges, is prominently displayed against a neutral grey backdrop. Dynamic blue and white cloud-like formations emanate and swirl around the structure, creating a sense of motion and energetic flow

Briefing

In September 2025, the Bunni decentralized exchange (DEX), built on Uniswap v4, experienced an $8.4 million exploit. The incident, spanning both Ethereum and UniChain blockchains, stemmed from a critical rounding error within the protocol’s withdraw function, which allowed an attacker to manipulate liquidity pools. This vulnerability enabled the attacker to extract a disproportionate amount of tokens by burning less liquidity than intended, leading to significant financial losses across the affected pools.

The image presents a detailed, close-up perspective of a sophisticated digital infrastructure, featuring a grid of blue rectangular blocks and interconnected silver structures. These elements form a complex network, highlighting the intricate workings of a Distributed Ledger Technology DLT system

Context

Prior to this incident, the decentralized finance (DeFi) landscape has consistently faced risks from unaudited or improperly tested smart contracts. Protocols leveraging complex liquidity mechanisms, such as those based on automated market makers (AMMs), are particularly susceptible to logic flaws that can be exploited through flash loans or price manipulation. The prevailing attack surface often includes subtle arithmetic errors or misconfigurations in core functions that, when combined with adversarial strategies, can lead to substantial capital drain.

A multi-faceted, crystalline object in clear and deep blue forms an 'X' shape, prominently displayed against a blurred, dark background suggesting electronic components. The central structure features intricate internal details and faceted surfaces, conveying a sense of precision and advanced engineering, with subtle blue light emanating from the periphery

Analysis

The attack vector against Bunni involved a sophisticated combination of flash loans, carefully orchestrated token swaps, and a sandwich attack, all leveraging a critical rounding error in the protocol’s withdraw function. The attacker initiated the exploit by taking a flash loan, then performed multiple swaps to manipulate the spot price tick of liquidity pools, specifically the weETH/ETH pool on UniChain and the USDC/USDT pool on Ethereum. This manipulation, combined with the unintended behavior of the withdraw function (which rounded idle balances up instead of down), allowed the attacker to withdraw a larger quantity of tokens while burning a disproportionately smaller amount of liquidity. A subsequent sandwich attack further inflated the pool’s spot price, enabling the attacker to drain additional value and profit after repaying the initial flash loan.

The image displays a detailed close-up of a metallic, interconnected structural lattice, featuring numerous spherical nodes joined by cylindrical rods. A prominent central node exhibits a distinct knurled texture, set against a blurred, translucent blue background with subtle water droplets

Parameters

Protocol Targeted → Bunni (Uniswap v4-based DEX)
Vulnerability → Rounding Error in withdraw function, exploited via Flash Loan and Price Manipulation
Financial Impact → $8.4 Million
Affected Blockchains → Ethereum, UniChain
Attack Type → Flash Loan Attack, Liquidity Manipulation, Sandwich Attack

A detailed close-up showcases a textured, deep blue cylindrical component, featuring a prominent metallic, threaded terminal. A transparent, tube-like structure extends from its upper surface, appearing to transport a clear, fluid substance

Outlook

This incident underscores the imperative for rigorous, comprehensive smart contract auditing and testing, particularly for protocols managing significant liquidity. Developers must account for edge cases and potential rounding discrepancies in financial calculations, as these can be weaponized by sophisticated attackers. Protocols with similar AMM designs should immediately review their withdrawal and liquidity management functions for analogous rounding errors or logical flaws. The event highlights a persistent systemic risk, necessitating enhanced pre-deployment security assessments to prevent future exploits and reinforce user trust in the DeFi ecosystem.

The Bunni exploit serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be catastrophically exploited, necessitating an unyielding commitment to formal verification and exhaustive security testing within the DeFi sector.

Signal Acquired from → halborn.com