Security

Bunni DEX Suffers $8.4 Million Flash Loan Rounding Error Exploit

A critical rounding error in Bunni's liquidity withdrawal function enabled flash loan manipulation, leading to $8.4 million in asset drain.
September 18, 20253 min

A sleek, metallic device with luminous blue internal elements is prominently displayed, showcasing its intricate design. The central focus is a square-shaped opening leading to a circular interface, suggesting a critical component or connection point
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

The Bunni decentralized exchange (DEX) was recently compromised by a sophisticated flash loan attack that exploited a critical rounding error in its liquidity withdrawal mechanism across Ethereum and UniChain. This vulnerability allowed an attacker to disproportionately drain assets from liquidity pools, directly impacting user funds and protocol integrity. The incident resulted in a total financial loss of $8.4 million, highlighting severe flaws in the smart contract’s fundamental logic.

The image showcases a highly detailed, abstract technological structure composed of interconnected modular blocks and intricate circuitry. Bright blue cables weave through the metallic grey and dark blue components, suggesting active data flow within a complex system

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks from complex smart contract interactions, particularly in liquidity provision mechanisms. Rounding errors, while often subtle, represent a known class of vulnerability that can be leveraged by flash loans to manipulate protocol state and asset balances. The inherent composability of DeFi protocols expands the attack surface, making rigorous, multi-faceted audits essential to prevent such exploits.

A close-up view highlights a complex mechanical module, predominantly in deep blue and polished silver, with intricate internal components. The textured blue casing contrasts with the highly reflective metallic parts, featuring various circular and interlocking elements

Analysis

The attack targeted Bunni’s smart contract logic, specifically its withdraw function within liquidity pools. The attacker initiated a flash loan to acquire substantial capital, which was then used to execute a series of carefully timed swaps within the weETH/ETH and USDC/UDST pools. This manipulation exploited a critical rounding error, where the withdraw function, intended to round down idle balances, inadvertently did the opposite, allowing the attacker to extract more tokens while burning less liquidity. A subsequent sandwich attack further amplified the price distortion, enabling the attacker to drain significant value from the pools and profit after repaying the flash loan.

The image displays an abstract, futuristic representation of interconnected digital infrastructure, featuring a central glowing sphere surrounded by white tubular structures and chains of blue cuboid elements. Smaller blue particles emanate from the core, interacting with the surrounding network components

Parameters

  • Protocol Targeted → Bunni DEX
  • Attack VectorFlash Loan & Rounding Error Exploit
  • Total Financial Impact → $8.4 Million
  • Affected Blockchains → Ethereum, UniChain
  • Vulnerability Root Cause → Smart contract withdraw function rounding error

A close-up view reveals a transparent, fluidic-like structure encasing precision-engineered blue and metallic components. The composition features intricate pathways and interconnected modules, suggesting a sophisticated internal mechanism

Outlook

This incident underscores the critical need for exhaustive smart contract auditing, particularly focusing on edge cases and precision in arithmetic operations within liquidity mechanisms. Protocols employing similar Uniswap v4-based liquidity management should immediately review their withdraw functions for comparable rounding vulnerabilities. The broader DeFi community must adopt more stringent pre-deployment testing and formal verification methods to prevent such subtle yet devastating logic flaws from becoming systemic risks.

A sleek, white, modular, futuristic device, partially submerged in calm, dark blue water. Its illuminated interior, revealing intricate blue glowing gears and digital components, actively expels a vigorous stream of water, creating significant surface ripples and foam

Verdict

The Bunni hack serves as a stark reminder that even seemingly minor arithmetic flaws in smart contract logic can be weaponized by sophisticated flash loan attacks, necessitating an unyielding commitment to precision in DeFi security.

Signal Acquired from → Halborn

Micro Crypto News Feeds

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

flash loan

Definition ∞ A flash loan is a type of uncollateralized loan that must be borrowed and repaid within a single transaction block on a blockchain.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: