|

Bunni Hit by $8.4M Flash-Loan Exploit — ‘Rounding Error’ Blamed

🚨

Decentralized finance protocol Bunni suffered an $8.4 million exploit on September 2, after a classy attacker leveraged a flash mortgage to control liquidity swimming pools on each Ethereum and Unichain.

The incident, which focused the weETH/ETH and USDC/USDT swimming pools, has been attributed to a flaw in Bunni’s good contract logic involving rounding errors.

Bunni Blames Rounding Bug for $2.3M Exploit, Offers 10% Bounty

According to Bunni’s autopsy, the exploit was executed in three phases. The attacker first borrowed 3 million USDT through a flash mortgage, utilizing it to control the USDC/USDT pool’s spot worth to excessive ranges.

With the pool’s energetic USDC stability lowered to simply 28 wei, the exploiter initiated 44 small withdrawals. This exploited a rounding error in Bunni’s code, disproportionately decreasing the pool’s liquidity by over 84%.

With liquidity artificially suppressed, the attacker carried out a sandwich assault, executing massive swaps that pushed costs to distorted values.

By reversing the sooner liquidity discount, they extracted earnings earlier than repaying the flash mortgage. In complete, the exploit yielded roughly 1.33 million USDC and 1 million USDT for the attacker.

Blockchain safety agency Cyfrin confirmed that the vulnerability stemmed from how Bunni’s good contract rounded balances throughout withdrawals.

While the mechanism was designed to favor pool security by underestimating liquidity, repeated tiny withdrawals created circumstances that allowed the rounding logic to be exploited at scale.

Bunni famous that its largest pool, Unichain’s USDC/USD₮0 pair, was spared as a consequence of inadequate flash-loan liquidity obtainable to mount an assault. Exploiting that pool would have required roughly $17 million in borrowed property, however solely $11 million was obtainable throughout lending venues on the time.

Bunni confirmed that the stolen property at the moment are cut up throughout two wallets linked to the attacker. Investigators traced the origins of the funds however hit a useless finish after discovering the wallets had been funded by Tornado Cash, a sanctioned privateness instrument.

The group has contacted the exploiter immediately on-chain, providing a ten% bounty in trade for returning the remaining funds. Centralized exchanges have additionally been notified to forestall any tried off-ramps, whereas regulation enforcement has been engaged to pursue restoration choices.

In the rapid aftermath, Bunni paused all operations however has since re-enabled withdrawals to permit liquidity suppliers to recuperate their deposits. Deposits and swaps stay frozen whereas builders work on a repair.

Changing the rounding route of the affected perform neutralizes the present exploit vector, although the group acknowledged extra in depth testing and safety enhancements are wanted earlier than reopening absolutely.

Bunni, operated by a six-person group, mentioned it stays dedicated to persevering with growth regardless of the setback. The protocol launched novel ideas resembling Liquidity Density Functions (LDFs), which the group claims signify a brand new era of automated market makers.

“We spent years constructing Bunni as a result of we imagine it’s the way forward for AMMs,” the group mentioned in its assertion, whereas pledging to strengthen its codebase and testing frameworks to forestall comparable assaults.

August Marks Third-Worst Month for Crypto Security as $163M Lost to Hacks and Scams

Bunni, as soon as boasting over $80 million in complete worth locked (TVL) on BNB Chain, now holds just above $50 million following the exploit. The incident provides to a string of assaults and scams hammering the sector.

Just a day earlier, a Venus Protocol user lost $13.5 million in a phishing scam. According to blockchain safety agency PeckShield, the sufferer unknowingly accepted a malicious transaction, granting token permissions that enabled the theft.

While preliminary stories steered $27 million was drained, later evaluation confirmed that debt positions had been mistakenly included within the determine. Venus harassed that its good contracts remained safe and confirmed that solely the person was compromised.

The incident adopted a surge in crypto-related exploits in August, with PeckShield data showing $163 million stolen across 16 major attacks, up from $142 million in July. The losses made August the third-worst month for crypto safety in 2025.

The largest single theft occurred on August 19, when a Bitcoin holder lost 783 BTC, value $91.4 million, in a social engineering scheme. Attackers allegedly posed as {hardware} pockets assist employees to acquire delicate credentials earlier than laundering the funds by Wasabi Wallet.

The Turkish trade BtcTurk was also hit, shedding $54 million in a multi-chain sizzling pockets breach throughout seven blockchain networks. The incident introduced its cumulative losses to over $100 million following a previous hack in June 2024.

Other notable circumstances included ODIN•FUN’s $7 million loss, BetterBank.io’s $5 million exploit, and CrediX Finance’s $4.5 million collapse, which became an exit rip-off after developers abandoned the project.

With phishing, trade vulnerabilities, and exit scams driving mounting losses, August underscored how each technical flaws and human error proceed to plague the crypto trade.

The publish Bunni Hit by $8.4M Flash-Loan Exploit — ‘Rounding Error’ Blamed appeared first on Cryptonews.

Similar Posts