Bunni DEX Suffers $8.4 Million Flash Loan and Rounding Error Exploit → Security

A close-up view reveals a sophisticated, dark metallic circuit board, featuring integrated components with intricate silver detailing and fin-like structures. Bright blue glowing pathways illuminate the board, signifying active data flow and energy transmission within a high-performance computational system

A highly detailed, deep blue metallic cube, featuring intricate paneling, visible screws, and sophisticated internal components, is presented against a subtle gradient background. The multifaceted structure highlights advanced engineering, with its complex surfaces and exposed mechanisms suggesting a high-performance computational unit

Briefing

In September 2025, the Bunni decentralized exchange (DEX), built on Uniswap v4, experienced an $8.4 million exploit. The incident, spanning both Ethereum and UniChain blockchains, stemmed from a critical rounding error within the protocol’s withdraw function, which allowed an attacker to manipulate liquidity pools. This vulnerability enabled the attacker to extract a disproportionate amount of tokens by burning less liquidity than intended, leading to significant financial losses across the affected pools.

Context

Prior to this incident, the decentralized finance (DeFi) landscape has consistently faced risks from unaudited or improperly tested smart contracts. Protocols leveraging complex liquidity mechanisms, such as those based on automated market makers (AMMs), are particularly susceptible to logic flaws that can be exploited through flash loans or price manipulation. The prevailing attack surface often includes subtle arithmetic errors or misconfigurations in core functions that, when combined with adversarial strategies, can lead to substantial capital drain.

A metallic, cubic device with transparent blue accents and a white spherical component is partially submerged in a reflective, rippled liquid, while a vibrant blue, textured, frosty substance envelops one side. The object appears to be a sophisticated hardware wallet, designed for ultimate digital asset custody through advanced cold storage mechanisms

Analysis

The attack vector against Bunni involved a sophisticated combination of flash loans, carefully orchestrated token swaps, and a sandwich attack, all leveraging a critical rounding error in the protocol’s withdraw function. The attacker initiated the exploit by taking a flash loan, then performed multiple swaps to manipulate the spot price tick of liquidity pools, specifically the weETH/ETH pool on UniChain and the USDC/USDT pool on Ethereum. This manipulation, combined with the unintended behavior of the withdraw function (which rounded idle balances up instead of down), allowed the attacker to withdraw a larger quantity of tokens while burning a disproportionately smaller amount of liquidity. A subsequent sandwich attack further inflated the pool’s spot price, enabling the attacker to drain additional value and profit after repaying the initial flash loan.

A cluster of vibrant blue and clear crystalline structures rises from dark, reflective water, partially enveloped by soft white snow. The background features a muted grey sky, creating a stark, cold environment

Parameters

Protocol Targeted → Bunni (Uniswap v4-based DEX)
Vulnerability → Rounding Error in withdraw function, exploited via Flash Loan and Price Manipulation
Financial Impact → $8.4 Million
Affected Blockchains → Ethereum, UniChain
Attack Type → Flash Loan Attack, Liquidity Manipulation, Sandwich Attack

The image features a central, textured white sphere encompassed by an array of vibrant blue crystalline structures, all set within an intricate, metallic hexagonal framework. This complex visual represents the core elements of a sophisticated blockchain ecosystem, where the central sphere could symbolize a foundational digital asset or a unique non-fungible token NFT residing within a distributed ledger

Outlook

This incident underscores the imperative for rigorous, comprehensive smart contract auditing and testing, particularly for protocols managing significant liquidity. Developers must account for edge cases and potential rounding discrepancies in financial calculations, as these can be weaponized by sophisticated attackers. Protocols with similar AMM designs should immediately review their withdrawal and liquidity management functions for analogous rounding errors or logical flaws. The event highlights a persistent systemic risk, necessitating enhanced pre-deployment security assessments to prevent future exploits and reinforce user trust in the DeFi ecosystem.

The Bunni exploit serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be catastrophically exploited, necessitating an unyielding commitment to formal verification and exhaustive security testing within the DeFi sector.

Signal Acquired from → halborn.com