Decentralized exchange Bunni published a post-mortem report on the exploit that resulted in $8.4 million in losses on Tuesday.
According to the report, the exploit affected two pools — the weETH/ETH pair on Unichain and the USDC/USDT pair on Ethereum mainnet.
Bunni identified an issue with the rounding direction in the smart contract for updating idle balances during withdrawals as the root cause of the exploit.
“The key to the exploit was the erroneous liquidity decrease resulting from the tiny withdrawals,” the report said. “It stemmed from this line in [BunniHubLogic::withdraw()] that handles the pool’s idle balance update.”
The attacker exploited this error to launch a flash loan attack that manipulated pool prices and liquidity, Bunni added.
First, they borrowed 3 million USDT via a flash loan and performed multiple swaps to manipulate the price, reducing the available USDC to just 28 wei. The attacker then exploited rounding errors with 44 small withdrawals, further draining the USDC balance and disproportionately dropping the pool’s total liquidity.
In the final step, the attacker executed a large swap to inflate the price tick and then performed a reverse swap at the manipulated price, the report said.
“To summarize, all of the rounding directions involved were safe in isolation, but when multiple operations are involved they led to an exploit,” said Bunni, adding that it has updated the rounding code to fix the vulnerability.
The platform has resumed withdrawals across all networks following fork testing by blockchain security firm Cyfrin, which confirmed their safety. However, deposits, swaps, and other functions remain paused.
“We are still exploring what fixes are needed to make Bunni secure again,” the platform said. “Changing the rounding direction of idle balance updates stops the current exploit, but it’s unclear if this change will introduce new attack vectors.”
The Bunni team said it traced the stolen funds to two wallets but could not identify the attacker as funds were funneled through crypto mixer Tornado Cash. Bunni is offering the attacker 10% of the funds as a bounty for returning the remainder, while also working with law enforcement and requesting centralized exchanges to freeze related accounts.
Looking ahead, Bunni said it will further develop its testing framework to fully restore the platform.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
