Security

Decentralized Exchange Bunni Drained $8.4 Million Exploiting Custom Liquidity Logic

Custom liquidity distribution functions with subtle rounding errors create critical arithmetic vulnerabilities that enable catastrophic flash-loan exploits.
December 6, 20253 min

A white, textured sphere is positioned on a reflective surface, with metallic rods extending behind it towards a circular, metallic structure. Intertwined with the rods and within a translucent, scoop-like container, a mix of white and blue granular material appears to flow
A close-up view showcases a dense entanglement of vibrant blue cables converging around polished metallic components. These elements create a visual representation of advanced technological architecture, akin to the underlying structure of a decentralized network

Briefing

The Bunni decentralized exchange suffered a catastrophic $8.4 million exploit that leveraged a precision bug in its custom Liquidity Distribution Function (LDF). This systemic failure forced the protocol to cease operations, underscoring the extreme risk of unaudited custom logic in core DeFi primitives. The attacker used a flash loan to manipulate pool balances, exploiting a rounding error in the withdrawal logic to systematically drain $8.4 million across Ethereum and UniChain deployments.

The image displays a complex, highly polished metallic structure, featuring interconnected, twisting dark chrome elements against a soft, blurred deep blue background illuminated by subtle bokeh lights. The intricate design suggests a sophisticated, futuristic framework

Context

The prevailing risk factor for protocols built on established Automated Market Maker (AMM) frameworks is the introduction of custom ‘hook’ logic. While designed for efficiency, this bespoke code often lacks the battle-testing of the core AMM, creating an expanded and novel attack surface where subtle arithmetic errors can be weaponized. The incident highlights that complexity in liquidity rebalancing logic is directly proportional to unmitigated security debt.

A prominent metallic, spiraling structure, featuring concentric rings, emerges from a rippling body of water, with a luminous white cloud and blue crystalline fragments contained within its central vortex. The background presents a clean, light blue gradient with subtle vertical lines, suggesting a high-tech, digital environment

Analysis

The attack vector began with a flash loan to borrow a large asset quantity, which the attacker used to execute a series of carefully sized swaps. This action deliberately pushed the target pool’s token balance to a minimal, ‘dust’ level, forcing the custom LDF to trigger a rebalancing calculation. The core flaw was a rounding error in the withdrawal function that incorrectly calculated the idle balance, allowing the attacker to burn less liquidity while withdrawing a disproportionately larger amount of tokens. This systematic manipulation enabled the extraction of $8.4 million in profit.

A close-up reveals a futuristic hardware component encased in a translucent blue material with a marbled pattern, showcasing intricate internal mechanisms. Silver and dark blue metallic structures are visible, highlighting a central cylindrical unit with a subtle light blue glow, indicative of active processing

Parameters

  • Total Funds Lost → $8.4 Million (The total value drained from liquidity pools across Ethereum and UniChain)
  • Vulnerability Type → Precision Rounding Error (A logic flaw in the custom Liquidity Distribution Function)
  • Attack Vector → Flash Loan Manipulation (Used to unbalance the pool and trigger the flawed logic)
  • Affected ChainsEthereum and UniChain (The exploit was successful on deployments across both networks)
  • Recent Activity → $7.3 Million (Amount of stolen ETH recently laundered via Tornado Cash)

A central white, futuristic hub connects to multiple radiating metallic conduits, partially submerged in a vivid blue, agitated liquid. White, foamy substances emanate from the connection points where the conduits meet the central structure, implying active processes

Outlook

Protocols utilizing custom AMM logic must immediately conduct a full, independent formal verification of all non-standard functions to eliminate precision and rounding vulnerabilities. The contagion risk remains low for core AMM protocols but is high for forks and projects that reuse the vulnerable LDF code. This incident will establish a new best practice → treating custom liquidity logic as a high-privilege attack surface that requires the same audit rigor as the core smart contract invariants.

Four blue, rectangular, device-like modules are symmetrically arranged in an "X" pattern, intricately linked by flowing, translucent structures. Each module features prominent metallic cylindrical components on its sides, alongside subtle circular indentations and small white indicator dots

Verdict

The Bunni DEX exploit serves as a definitive case study that custom liquidity logic, even when layered on audited primitives, introduces unmanageable precision risk and should be treated as a critical security failure point.

Flash Loan Attack, Precision Bug, Rounding Error, Liquidity Pool Drain, Automated Market Maker, Custom Logic Flaw, Smart Contract Exploit, Decentralized Exchange, Liquidity Distribution Function, Arithmetic Vulnerability, Cross-Chain Exploit, Asset Laundering, Tornado Cash, Post-Mortem Analysis, Protocol Shutdown, Token Swaps, On-Chain Forensics, Systemic Risk, DeFi Security, Smart Contract Audit Signal Acquired from → halborn.com

Micro Crypto News Feeds

decentralized exchange

Definition ∞ A Decentralized Exchange (DEX) is a cryptocurrency trading platform that operates without a central intermediary or custodian.

automated market maker

Definition ∞ An Automated Market Maker, or AMM, is a type of decentralized exchange protocol that relies on mathematical formulas to price assets rather than traditional order books.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

liquidity distribution

Definition ∞ Liquidity distribution describes how readily available assets for trading are spread across various exchanges, decentralized protocols, and trading pairs within the digital asset market.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: