Bunni cites smart contract rounding error for $8.4 million flash loan exploit

Decentralized exchange Bunni published a post-mortem report on the exploit that resulted in $8.4 million in losses on Tuesday. 

According to the report , the exploit affected two pools — the weETH/ETH pair on Unichain and the USDC/USDT pair on Ethereum mainnet. 

Bunni identified an issue with the rounding direction in the smart contract for updating idle balances during withdrawals as the root cause of the exploit. 

"The key to the exploit was the erroneous liquidity decrease resulting from the tiny withdrawals," the report said. "It stemmed from this line in [BunniHubLogic::withdraw()] that handles the pool's idle balance update."

The attacker exploited this error to launch a flash loan attack that manipulated pool prices and liquidity, Bunni added.

First, they borrowed 3 million USDT via a flash loan and performed multiple swaps to manipulate the price, reducing the available USDC to just 28 wei. The attacker then exploited rounding errors with 44 small withdrawals, further draining the USDC balance and disproportionately dropping the pool's total liquidity.

In the final step, the attacker executed a large swap to inflate the price tick and then performed a reverse swap at the manipulated price, the report said.

"To summarize, all of the rounding directions involved were safe in isolation, but when multiple operations are involved they led to an exploit," said Bunni, adding that it has updated the rounding code to fix the vulnerability.

The platform has resumed withdrawals across all networks following fork testing by blockchain security firm Cyfrin, which confirmed their safety. However, deposits, swaps, and other functions remain paused.

"We are still exploring what fixes are needed to make Bunni secure again," the platform said. "Changing the rounding direction of idle balance updates stops the current exploit, but it’s unclear if this change will introduce new attack vectors."

The Bunni team said it traced the stolen funds to two wallets but could not identify the attacker as funds were funneled through crypto mixer Tornado Cash. Bunni is offering the attacker 10% of the funds as a bounty for returning the remainder, while also working with law enforcement and requesting centralized exchanges to freeze related accounts.

Looking ahead, Bunni said it will further develop its testing framework to fully restore the platform.