Decentralized Finance Protocol Bunni Suffers $8.4 Million Exploit
The decentralized financial protocol Bunni suffered an exploit of $8.4 million on September 2, after a highly developed attacker utilized a flash loan to manipulate liquidity pools on both Ethereum and Unicain. The incident, which targeted WETH/ETH and USDC/USDT pools, was attributed to an error in the smart contract logic of Bunni, which contained circular errors.
According to the Bunni’s Post-Mortem, the exploit was carried out in three phases. The attacker first loaned $3 million over a flash loan to manipulate the spot price of the USDC/USDT pool to an extreme level. With the active USDC equilibrium of the pool at only $28,000, the exploiter initiated 44 small payouts, utilizing a rounding error in Bunni’s code that disproportionately lowered the liquidity of the pool by over 84%.
Bunni Blames Rounding Bug for $2.3 Million Exploit, Offers 10% Bounty
With artificially suppressed liquidity, the attacker carried out a sandwich attack and performed large swaps that pushed the prices into distorted values. By reversing the previous liquidity reduction, they extracted profits before repaying the flash loan. The exploit resulted in a total of around $1.33 million in USDC and $1 million in USD for the attacker.
The blockchain security company Cyfrin confirmed that the susceptibility to security is due to how Bunni’s smart contract rounded off the weight balance during withdrawal. While the mechanism was developed by underestimating the liquidity to prefer pool security, repeated tiny withdrawals created conditions that made it possible to exploit the rounding logic on a scale.
Incident Aftermath and Response
Bunni found that its largest pool, Unichain’s USDC/USDT pair, was spared an attack due to insufficient flash-loan liquidity. The exploitation of this pool would require around $17 million in borrowed assets, but at that time only $11 million were available for lending.
Bunni confirmed that the stolen assets are now divided into two wallets connected to the attacker. The investigators pursued the origins of the funds but met a dead end after determining that the wallets were financed by Tornado Cash, a sanctioned privacy tool.
The team contacted the exploiter directly on-chain and offered a premium of 10% in exchange for the return of the remaining funds. The central exchange was also notified to prevent withdrawals, while law enforcement authorities were engaged to pursue recovery options.
August Marks Third-Worst Month for Crypto Security as $163M Lost to Hacks and Scams
In the immediate aftermath, Bunni paused all operations but has since resumed withdrawals to enable liquidity providers to reclaim their deposits. Deposits and swaps remain frozen while developers work on a solution. Changing the circular direction of the affected function neutralizes the current exploit vector, although the team requires more extensive testing and safety improvements before the full reopening.
Bunni, operated by a team of six people, said that the continuation of development was still obligated despite the setback. The protocol introduced new concepts such as liquidity density functions (LDFS), which the team claims to present a new generation of automated market makers.
According to Peckshield, a blockchain security company, August saw $163 million stolen in 16 major attacks, compared to $142 million in July. The losses made August the third-worst month for crypto security in 2025.
For more information, visit https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/
