Bunni Hit by $8.4M Flash-Loan Exploit — ‘Rounding Error’ Blamed
0Exploit
Hack
Bunni’s $8.4M “ghost-liquidity” drain: an attacker flash‑borrowed 3M USDT to skew prices, then milked a rounding bug across 44 micro‑withdrawals on Ethereum and Unichain.
Journalist
Hassan Shittu
Journalist
Hassan Shittu
About Author
Hassan, a Cryptonews.com journalist with 6+ years of experience in Web3 journalism, brings deep knowledge across Crypto, Web3 Gaming, NFTs, and Play-to-Earn sectors. His work has appeared in...
Author Profile
Share
Copied
Last updated:
9 hours ago
Decentralized finance protocol Bunni suffered an $8.4 million exploit on September 2, after a sophisticated attacker leveraged a flash loan to manipulate liquidity pools on both Ethereum and Unichain.
The incident, which targeted the weETH/ETH and USDC/USDT pools, has been attributed to a flaw in Bunni’s smart contract logic involving rounding errors.
Bunni Blames Rounding Bug for $2.3M Exploit, Offers 10% Bounty.
According to Bunni’s post-mortem, the exploit was executed in three stages. The attacker first borrowed 3 million USDT via a flash loan, using it to manipulate the USDC/USDT pool’s spot price to extreme levels.
With the pool’s active USDC balance reduced to just 28 wei, the exploiter initiated 44 small withdrawals. This exploited a rounding error in Bunni’s code, disproportionately lowering the pool’s liquidity by over 84%.
With liquidity artificially suppressed, the attacker carried out a sandwich attack, executing large swaps that pushed prices to distorted values.
By reversing the earlier liquidity reduction, they extracted profits before repaying the flash loan. In total, the exploit yielded approximately 1.33 million USDC and 1 million USDT for the attacker.
Blockchain security firm Cyfrin confirmed that the vulnerability stemmed from how Bunni’s smart contract rounded balances during withdrawals.
While the mechanism was designed to favor pool safety by underestimating liquidity, repeated tiny withdrawals created conditions that allowed the rounding logic to be exploited at scale.
Bunni noted that its largest pool, Unichain’s USDC/USD₮0 pair, was spared due to insufficient flash-loan liquidity available to mount an attack. Exploiting that pool would have required roughly $17 million in borrowed assets, but only $11 million was available across lending venues at the time.
Bunni confirmed that the stolen assets are now split across two wallets linked to the attacker. Investigators traced the origins of the funds but hit a dead end after discovering the wallets were funded through Tornado Cash, a sanctioned privacy tool.
The team has contacted the exploiter directly on-chain, offering a 10% bounty in exchange for returning the remaining funds. Centralized exchanges have also been notified to prevent any attempted off-ramps, while law enforcement has been engaged to pursue recovery options.
In the immediate aftermath, Bunni paused all operations but has since re-enabled withdrawals to allow liquidity providers to recover their deposits. Deposits and swaps remain frozen while developers work on a fix.
Changing the rounding direction of the affected function neutralizes the current exploit vector, though the team acknowledged more extensive testing and security improvements are needed before reopening fully.
Bunni, operated by a six-person team, said it remains committed to continuing development despite the setback. The protocol introduced novel concepts such as Liquidity...
https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/
#crypto #bitcoin #ethereum #cryptocurrency #news #blockchain #litecoin #cryptonews #cryptonewstoday #cryptoworld #cryptonewstoday
***NOT FINANCIAL, LEGAL, OR TAX ADVICE! JUST OPINION! I AM NOT AN EXPERT! I DO NOT GUARANTEE A PARTICULAR OUTCOME I HAVE NO INSIDE KNOWLEDGE! YOU NEED TO DO YOUR OWN RESEARCH AND MAKE YOUR OWN DECISIONS! THIS IS JUST ENTERTAINMENT!
This information is what was found publicly on the internet. This information could’ve been doctored or misrepresented by the internet. All information is meant for public awareness and is public domain. This information is not intended to slander harm or defame any of the actors involved but to show what was said through their social media accounts. Please take this information and do your own research.
bitcoin, blockchain, crypto, cryptocurrency, altcoin, investment, ethereum, bitcoin crash, xrp, cardano, ripple