Decentralized finance protocol Bunni found itself at the center of a major exploit on September 2, losing $8.4 million to a sophisticated attacker who utilized a flash loan to manipulate liquidity pools on both Ethereum and Unichain. The attack specifically targeted the weETH/ETH and USDC/USDT pools, with the root cause being identified as a flaw in Bunni’s smart contract logic related to rounding errors.
According to Bunni’s post-mortem report, the exploit unfolded in three distinct stages. Initially, the attacker borrowed 3 million USDT through a flash loan, using this capital to manipulate the spot price of the USDC/USDT pool to extreme levels. By reducing the active USDC balance in the pool to an incredibly low value, the attacker then executed 44 small withdrawals, exploiting a rounding error in Bunni’s code that significantly decreased the pool’s liquidity by over 84%.
Subsequently, the attacker engaged in a sandwich attack by executing large swaps that distorted prices, allowing them to extract profits before repaying the flash loan. The exploit ultimately yielded the attacker approximately 1.33 million USDC and 1 million USDT. Cybersecurity firm Cyfrin confirmed that the vulnerability stemmed from the way Bunni’s smart contract rounded balances during withdrawals. The exploit was made possible by repeated tiny withdrawals that created conditions for the rounding logic to be exploited on a larger scale.
Although Bunni’s largest pool, the USDC/USD₮0 pair on Unichain, was spared from the attack due to the lack of sufficient flash loan liquidity to mount an assault, the stolen assets were traced back to two wallets linked to the attacker. However, efforts to recover the funds hit a roadblock when it was discovered that the wallets were funded through Tornado Cash, a privacy tool that complicates tracing transactions.
In response to the exploit, Bunni took swift action by pausing all operations initially but has since enabled withdrawals to allow liquidity providers to retrieve their assets. While deposits and swaps remain frozen as developers work on a fix, the team has identified changing the rounding direction of the affected function as a solution to neutralize the current exploit vector. However, the team acknowledged the need for more extensive testing and security enhancements before fully reopening operations.
Despite the setback, Bunni remains committed to advancing its development efforts, with a focus on enhancing the codebase and testing frameworks to prevent similar attacks in the future. The protocol’s innovative concepts, such as Liquidity Density Functions (LDFs), are seen as a new generation of automated market makers by the team, who expressed their dedication to the project’s long-term success.
In a broader context, the Bunni exploit adds to a series of security incidents that have plagued the decentralized finance sector in recent months. August, in particular, marked a challenging period for crypto security, with $163 million lost to hacks and scams across various platforms. These incidents serve as a stark reminder of the ongoing vulnerabilities in the crypto industry, highlighting the importance of robust security measures and continuous vigilance to protect user funds and assets.