Security

Decentralized Exchange Bunni Drained $8.4 Million Exploiting Custom Liquidity Logic

Custom liquidity distribution functions with subtle rounding errors create critical arithmetic vulnerabilities that enable catastrophic flash-loan exploits.
December 6, 20253 min

Two advanced, white cylindrical components are shown in the process of a precise mechanical connection, surrounded by a subtle dispersion of fine, snow-like particles against a deep blue background. Adjacent solar panel arrays provide a visual anchor to the technological setting
An intricate, abstract structure composed of numerous interconnected blue and silver electronic components, resembling circuit boards and microchips, forms a dynamic three-dimensional entity against a soft grey background. The complex arrangement of these metallic and vibrant blue elements creates a high-tech, futuristic visual with varying depths of field

Briefing

The Bunni decentralized exchange suffered a catastrophic $8.4 million exploit that leveraged a precision bug in its custom Liquidity Distribution Function (LDF). This systemic failure forced the protocol to cease operations, underscoring the extreme risk of unaudited custom logic in core DeFi primitives. The attacker used a flash loan to manipulate pool balances, exploiting a rounding error in the withdrawal logic to systematically drain $8.4 million across Ethereum and UniChain deployments.

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Context

The prevailing risk factor for protocols built on established Automated Market Maker (AMM) frameworks is the introduction of custom ‘hook’ logic. While designed for efficiency, this bespoke code often lacks the battle-testing of the core AMM, creating an expanded and novel attack surface where subtle arithmetic errors can be weaponized. The incident highlights that complexity in liquidity rebalancing logic is directly proportional to unmitigated security debt.

A sophisticated metallic cubic device, featuring a top control dial and various blue connectors, forms the central component of this intricate system. Translucent, bubble-filled conduits loop around the device, secured by black wires, all set against a dark background

Analysis

The attack vector began with a flash loan to borrow a large asset quantity, which the attacker used to execute a series of carefully sized swaps. This action deliberately pushed the target pool’s token balance to a minimal, ‘dust’ level, forcing the custom LDF to trigger a rebalancing calculation. The core flaw was a rounding error in the withdrawal function that incorrectly calculated the idle balance, allowing the attacker to burn less liquidity while withdrawing a disproportionately larger amount of tokens. This systematic manipulation enabled the extraction of $8.4 million in profit.

Two circular metallic objects, positioned with one slightly behind the other, showcase transparent blue sections revealing intricate internal mechanical movements. Visible components include precision gears, ruby jewel bearings, and a balance wheel, all encased within a polished silver-toned frame, resting on a light grey surface

Parameters

  • Total Funds Lost → $8.4 Million (The total value drained from liquidity pools across Ethereum and UniChain)
  • Vulnerability Type → Precision Rounding Error (A logic flaw in the custom Liquidity Distribution Function)
  • Attack Vector → Flash Loan Manipulation (Used to unbalance the pool and trigger the flawed logic)
  • Affected ChainsEthereum and UniChain (The exploit was successful on deployments across both networks)
  • Recent Activity → $7.3 Million (Amount of stolen ETH recently laundered via Tornado Cash)

The image displays an abstract composition of flowing, undulating forms in shades of deep blue, light blue, and white. These layered structures create a sense of dynamic movement and depth, with glossy surfaces reflecting light

Outlook

Protocols utilizing custom AMM logic must immediately conduct a full, independent formal verification of all non-standard functions to eliminate precision and rounding vulnerabilities. The contagion risk remains low for core AMM protocols but is high for forks and projects that reuse the vulnerable LDF code. This incident will establish a new best practice → treating custom liquidity logic as a high-privilege attack surface that requires the same audit rigor as the core smart contract invariants.

A striking, clear, interwoven structure, reminiscent of a complex lattice, takes center stage against a soft, blurred blue and grey background. This transparent form appears to flow and connect, hinting at underlying digital processes and data streams

Verdict

The Bunni DEX exploit serves as a definitive case study that custom liquidity logic, even when layered on audited primitives, introduces unmanageable precision risk and should be treated as a critical security failure point.

Flash Loan Attack, Precision Bug, Rounding Error, Liquidity Pool Drain, Automated Market Maker, Custom Logic Flaw, Smart Contract Exploit, Decentralized Exchange, Liquidity Distribution Function, Arithmetic Vulnerability, Cross-Chain Exploit, Asset Laundering, Tornado Cash, Post-Mortem Analysis, Protocol Shutdown, Token Swaps, On-Chain Forensics, Systemic Risk, DeFi Security, Smart Contract Audit Signal Acquired from → halborn.com

Micro Crypto News Feeds

decentralized exchange

Definition ∞ A Decentralized Exchange (DEX) is a cryptocurrency trading platform that operates without a central intermediary or custodian.

automated market maker

Definition ∞ An Automated Market Maker, or AMM, is a type of decentralized exchange protocol that relies on mathematical formulas to price assets rather than traditional order books.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

liquidity distribution

Definition ∞ Liquidity distribution describes how readily available assets for trading are spread across various exchanges, decentralized protocols, and trading pairs within the digital asset market.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: