Bunni DEX Suffers $8.4 Million Flash Loan Rounding Error Exploit → Security

A spherical object, deep blue with swirling white patterns, is partially encased by a metallic silver, cage-like structure. This protective framework features both broad, smooth bands and intricate, perforated sections with rectangular openings

A translucent cubic element, symbolizing a quantum bit qubit, is centrally positioned within a metallic ring assembly, all situated on a complex circuit board featuring illuminated blue data traces. This abstract representation delves into the synergistic potential between quantum computation and blockchain architecture

Briefing

The Bunni decentralized exchange (DEX) was recently compromised by a sophisticated flash loan attack that exploited a critical rounding error in its liquidity withdrawal mechanism across Ethereum and UniChain. This vulnerability allowed an attacker to disproportionately drain assets from liquidity pools, directly impacting user funds and protocol integrity. The incident resulted in a total financial loss of $8.4 million, highlighting severe flaws in the smart contract’s fundamental logic.

Two intricately designed metallic gears, featuring prominent splined teeth, are captured in a dynamic close-up. A luminous, translucent blue liquid actively flows around and through their engaging surfaces, creating a sense of constant motion and interaction, highlighting the precision of their connection

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks from complex smart contract interactions, particularly in liquidity provision mechanisms. Rounding errors, while often subtle, represent a known class of vulnerability that can be leveraged by flash loans to manipulate protocol state and asset balances. The inherent composability of DeFi protocols expands the attack surface, making rigorous, multi-faceted audits essential to prevent such exploits.

A close-up view reveals a complex, futuristic apparatus featuring prominent transparent blue rings at its core, surrounded by dark metallic and silver-toned components. A white, textured material resembling frost or fibrous netting partially covers parts of the structure, particularly on the right and lower left

Analysis

The attack targeted Bunni’s smart contract logic, specifically its withdraw function within liquidity pools. The attacker initiated a flash loan to acquire substantial capital, which was then used to execute a series of carefully timed swaps within the weETH/ETH and USDC/UDST pools. This manipulation exploited a critical rounding error, where the withdraw function, intended to round down idle balances, inadvertently did the opposite, allowing the attacker to extract more tokens while burning less liquidity. A subsequent sandwich attack further amplified the price distortion, enabling the attacker to drain significant value from the pools and profit after repaying the flash loan.

A highly detailed mechanical assembly is presented, showcasing a blend of polished silver components and vibrant blue, intricate structures. The foreground features concentric silver rings leading to a central textured band, which precisely engages with spoked blue elements, each adorned with directional arrow indicators

Parameters

Protocol Targeted → Bunni DEX
Attack Vector → Flash Loan & Rounding Error Exploit
Total Financial Impact → $8.4 Million
Affected Blockchains → Ethereum, UniChain
Vulnerability Root Cause → Smart contract withdraw function rounding error

A futuristic, translucent blue spherical object, resembling a secure network node, features a prominent central display. This display presents a dynamic candlestick chart, showing real-time price action with distinct bullish blue and bearish red patterns, partially veiled by metallic grilles

Outlook

This incident underscores the critical need for exhaustive smart contract auditing, particularly focusing on edge cases and precision in arithmetic operations within liquidity mechanisms. Protocols employing similar Uniswap v4-based liquidity management should immediately review their withdraw functions for comparable rounding vulnerabilities. The broader DeFi community must adopt more stringent pre-deployment testing and formal verification methods to prevent such subtle yet devastating logic flaws from becoming systemic risks.

A close-up reveals a highly detailed, abstract representation of a decentralized network node, possibly a validator or a gateway within a blockchain ecosystem. The metallic structure is interwoven with luminous blue circuitry, indicative of active data processing and secure transaction validation

Verdict

The Bunni hack serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be weaponized by sophisticated flash loan attacks, necessitating an unyielding commitment to precision in DeFi security.

Signal Acquired from → Halborn