Bunni DEX Suffers $8.4 Million Flash Loan and Rounding Error Exploit → Security

The image showcases a high-precision hardware component, featuring a prominent brushed metal cylinder partially enveloped by a translucent blue casing. Below this, a dark, wavy-edged interface is meticulously framed by polished metallic accents, set against a muted grey background

A highly detailed, abstract mechanical assembly is depicted, featuring a central hub with radiating arms composed of metallic, transparent, and deep blue elements. Intricate internal gearing and fluid dynamics are visible within the transparent sections, set against a light grey background with subtle reflections

Briefing

In September 2025, the Bunni decentralized exchange (DEX), built on Uniswap v4, experienced an $8.4 million exploit. The incident, spanning both Ethereum and UniChain blockchains, stemmed from a critical rounding error within the protocol’s withdraw function, which allowed an attacker to manipulate liquidity pools. This vulnerability enabled the attacker to extract a disproportionate amount of tokens by burning less liquidity than intended, leading to significant financial losses across the affected pools.

A close-up view reveals a highly detailed mechanical component, featuring transparent blue casing and polished silver elements. The central focus is a cylindrical silver mechanism with fine grooves, capped by a clear blue lens-like structure, while intricate metallic parts and subtle blue lights are visible throughout the assembly

Context

Prior to this incident, the decentralized finance (DeFi) landscape has consistently faced risks from unaudited or improperly tested smart contracts. Protocols leveraging complex liquidity mechanisms, such as those based on automated market makers (AMMs), are particularly susceptible to logic flaws that can be exploited through flash loans or price manipulation. The prevailing attack surface often includes subtle arithmetic errors or misconfigurations in core functions that, when combined with adversarial strategies, can lead to substantial capital drain.

A high-resolution close-up showcases a sleek, dark gray technological device adorned with intricate, glowing blue circuit board tracery. Centrally, a vibrant, multi-toned blue frothy substance forms an elaborate, organic, ring-like structure, deeply embedded within the hardware

Analysis

The attack vector against Bunni involved a sophisticated combination of flash loans, carefully orchestrated token swaps, and a sandwich attack, all leveraging a critical rounding error in the protocol’s withdraw function. The attacker initiated the exploit by taking a flash loan, then performed multiple swaps to manipulate the spot price tick of liquidity pools, specifically the weETH/ETH pool on UniChain and the USDC/USDT pool on Ethereum. This manipulation, combined with the unintended behavior of the withdraw function (which rounded idle balances up instead of down), allowed the attacker to withdraw a larger quantity of tokens while burning a disproportionately smaller amount of liquidity. A subsequent sandwich attack further inflated the pool’s spot price, enabling the attacker to drain additional value and profit after repaying the initial flash loan.

The image showcases a complex metallic object, featuring interconnected loops and textured surfaces, rendered in cool blue and silver tones with a shallow depth of field. Prominent circular openings and smaller indentations are visible on its robust, mottled exterior

Parameters

Protocol Targeted → Bunni (Uniswap v4-based DEX)
Vulnerability → Rounding Error in withdraw function, exploited via Flash Loan and Price Manipulation
Financial Impact → $8.4 Million
Affected Blockchains → Ethereum, UniChain
Attack Type → Flash Loan Attack, Liquidity Manipulation, Sandwich Attack

The image displays a detailed, close-up view of a high-tech mechanical system featuring a prominent transparent tube filled with vibrant blue liquid, interconnected with polished metallic components and subtle internal blue illumination. The intricate assembly suggests advanced engineering, with various cylindrical and rectangular modules housing complex circuitry visible through transparent sections

Outlook

This incident underscores the imperative for rigorous, comprehensive smart contract auditing and testing, particularly for protocols managing significant liquidity. Developers must account for edge cases and potential rounding discrepancies in financial calculations, as these can be weaponized by sophisticated attackers. Protocols with similar AMM designs should immediately review their withdrawal and liquidity management functions for analogous rounding errors or logical flaws. The event highlights a persistent systemic risk, necessitating enhanced pre-deployment security assessments to prevent future exploits and reinforce user trust in the DeFi ecosystem.

The Bunni exploit serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be catastrophically exploited, necessitating an unyielding commitment to formal verification and exhaustive security testing within the DeFi sector.

Signal Acquired from → halborn.com