Security

Bunni DEX Suffers $8.4 Million Flash Loan Rounding Error Exploit

A critical rounding error in Bunni's liquidity withdrawal function enabled flash loan manipulation, leading to $8.4 million in asset drain.
September 18, 20253 min

A close-up view captures a central metallic component, resembling a core mechanism, enveloped by a textured, porous blue substance, intricately bound by dark chains. The composition highlights the interplay between solid structures and fluid elements, creating a sense of complex integration
A prominent blue Bitcoin emblem with a white 'B' symbol is centrally displayed, surrounded by an intricate network of metallic and blue mechanical components. Blurred elements of this complex machinery fill the foreground and background, creating depth and focusing on the central cryptocurrency icon

Briefing

The Bunni decentralized exchange (DEX) was recently compromised by a sophisticated flash loan attack that exploited a critical rounding error in its liquidity withdrawal mechanism across Ethereum and UniChain. This vulnerability allowed an attacker to disproportionately drain assets from liquidity pools, directly impacting user funds and protocol integrity. The incident resulted in a total financial loss of $8.4 million, highlighting severe flaws in the smart contract’s fundamental logic.

An abstract, three-dimensional construct displays an intricate arrangement of deep blue, blocky elements, textured silver cylinders, and transparent, crystalline blue components. Rough, translucent icy material encases some silver parts, creating a dynamic interplay of textures and forms

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks from complex smart contract interactions, particularly in liquidity provision mechanisms. Rounding errors, while often subtle, represent a known class of vulnerability that can be leveraged by flash loans to manipulate protocol state and asset balances. The inherent composability of DeFi protocols expands the attack surface, making rigorous, multi-faceted audits essential to prevent such exploits.

A close-up view showcases two highly polished, deep blue metallic structures arranged to form an 'X' shape, set against a muted grey background. White, frothy bubbles envelop parts of these structures, with clear blue liquid visibly splashing and flowing around their central intersection

Analysis

The attack targeted Bunni’s smart contract logic, specifically its withdraw function within liquidity pools. The attacker initiated a flash loan to acquire substantial capital, which was then used to execute a series of carefully timed swaps within the weETH/ETH and USDC/UDST pools. This manipulation exploited a critical rounding error, where the withdraw function, intended to round down idle balances, inadvertently did the opposite, allowing the attacker to extract more tokens while burning less liquidity. A subsequent sandwich attack further amplified the price distortion, enabling the attacker to drain significant value from the pools and profit after repaying the flash loan.

The image displays a detailed view of interconnected blue mechanical components. Predominantly, dark blue cylindrical units with central black and silver elements are visible, alongside a rectangular block featuring multiple circular ports

Parameters

  • Protocol Targeted → Bunni DEX
  • Attack VectorFlash Loan & Rounding Error Exploit
  • Total Financial Impact → $8.4 Million
  • Affected Blockchains → Ethereum, UniChain
  • Vulnerability Root Cause → Smart contract withdraw function rounding error

Smooth white spheres and a central luminous blue disc composed of glowing cubic elements are intertwined with dark blue tubular conduits. Scattered blue particles add a dynamic visual layer to this abstract composition

Outlook

This incident underscores the critical need for exhaustive smart contract auditing, particularly focusing on edge cases and precision in arithmetic operations within liquidity mechanisms. Protocols employing similar Uniswap v4-based liquidity management should immediately review their withdraw functions for comparable rounding vulnerabilities. The broader DeFi community must adopt more stringent pre-deployment testing and formal verification methods to prevent such subtle yet devastating logic flaws from becoming systemic risks.

A sleek, modular white structure, resembling a sophisticated decentralized protocol, rests partially submerged in luminous blue water. A powerful stream of water, indicative of digital assets, actively gushes from its core conduit, creating dynamic splashes and ripples

Verdict

The Bunni hack serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be weaponized by sophisticated flash loan attacks, necessitating an unyielding commitment to precision in DeFi security.

Signal Acquired from → Halborn

Micro Crypto News Feeds

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

flash loan

Definition ∞ A flash loan is a type of uncollateralized loan that must be borrowed and repaid within a single transaction block on a blockchain.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: