Bunni DEX Suffers $8.4 Million Flash Loan and Rounding Error Exploit → Security

A translucent blue, rectangular device with rounded edges is positioned diagonally on a smooth, dark grey surface. The device features a prominent raised rectangular section on its left side and a small black knob with a white top on its right

A multi-faceted, crystalline object in clear and deep blue forms an 'X' shape, prominently displayed against a blurred, dark background suggesting electronic components. The central structure features intricate internal details and faceted surfaces, conveying a sense of precision and advanced engineering, with subtle blue light emanating from the periphery

Briefing

In September 2025, the Bunni decentralized exchange (DEX), built on Uniswap v4, experienced an $8.4 million exploit. The incident, spanning both Ethereum and UniChain blockchains, stemmed from a critical rounding error within the protocol’s withdraw function, which allowed an attacker to manipulate liquidity pools. This vulnerability enabled the attacker to extract a disproportionate amount of tokens by burning less liquidity than intended, leading to significant financial losses across the affected pools.

A close-up view reveals a high-tech device featuring a silver-grey metallic casing with prominent dark blue internal components and accents. A central, faceted blue translucent element glows brightly, suggesting active processing or energy flow within the intricate machinery

Context

Prior to this incident, the decentralized finance (DeFi) landscape has consistently faced risks from unaudited or improperly tested smart contracts. Protocols leveraging complex liquidity mechanisms, such as those based on automated market makers (AMMs), are particularly susceptible to logic flaws that can be exploited through flash loans or price manipulation. The prevailing attack surface often includes subtle arithmetic errors or misconfigurations in core functions that, when combined with adversarial strategies, can lead to substantial capital drain.

A close-up view reveals a complex circuit board, dominated by a central, dark metallic processor unit featuring intricate patterns and subtle blue internal illumination. Bright blue lines trace pathways across the board, connecting various smaller components and indicating active data transmission

Analysis

The attack vector against Bunni involved a sophisticated combination of flash loans, carefully orchestrated token swaps, and a sandwich attack, all leveraging a critical rounding error in the protocol’s withdraw function. The attacker initiated the exploit by taking a flash loan, then performed multiple swaps to manipulate the spot price tick of liquidity pools, specifically the weETH/ETH pool on UniChain and the USDC/USDT pool on Ethereum. This manipulation, combined with the unintended behavior of the withdraw function (which rounded idle balances up instead of down), allowed the attacker to withdraw a larger quantity of tokens while burning a disproportionately smaller amount of liquidity. A subsequent sandwich attack further inflated the pool’s spot price, enabling the attacker to drain additional value and profit after repaying the initial flash loan.

A cluster of vibrant blue and clear crystalline structures rises from dark, reflective water, partially enveloped by soft white snow. The background features a muted grey sky, creating a stark, cold environment

Parameters

Protocol Targeted → Bunni (Uniswap v4-based DEX)
Vulnerability → Rounding Error in withdraw function, exploited via Flash Loan and Price Manipulation
Financial Impact → $8.4 Million
Affected Blockchains → Ethereum, UniChain
Attack Type → Flash Loan Attack, Liquidity Manipulation, Sandwich Attack

The image captures a close-up of a high-tech, cylindrical component featuring a transparent chamber filled with dynamically swirling blue and white patterns. This module is integrated into a larger assembly of silver metallic and dark blue elements, showcasing intricate engineering and a futuristic design

Outlook

This incident underscores the imperative for rigorous, comprehensive smart contract auditing and testing, particularly for protocols managing significant liquidity. Developers must account for edge cases and potential rounding discrepancies in financial calculations, as these can be weaponized by sophisticated attackers. Protocols with similar AMM designs should immediately review their withdrawal and liquidity management functions for analogous rounding errors or logical flaws. The event highlights a persistent systemic risk, necessitating enhanced pre-deployment security assessments to prevent future exploits and reinforce user trust in the DeFi ecosystem.

The Bunni exploit serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be catastrophically exploited, necessitating an unyielding commitment to formal verification and exhaustive security testing within the DeFi sector.

Signal Acquired from → halborn.com