Bunni Reveals Smart Contract Rounding Flaw Behind $8.4M Flash Loan Exploit

Highlights:

• Bunni cites a rounding flaw in withdrawals as the cause of the $8.4M flash loan exploit.
• The attacker drained funds using 44 small withdrawals and price manipulation.
• Bunni offers a 10% bounty to recover the remaining stolen assets.

Decentralized exchange Bunni has identified the root cause of the recent flash loan exploit that saw its protocol lose $8.4 million. In a detailed post-mortem published on September 4, the team found that they had a bug in the logic of withdrawals in their smart contract. This vulnerability enabled an attacker to manipulate liquidity in two pools, the weETH/ETH pair on Unichain and the USDC/USDT pair on Ethereum, with the help of a flash loan.

According to Bunni, the exploit worked because of a rounding error that incorrectly adjusted pool balances during withdrawals. Although the contract was intended to round values conservatively, the strategy broke down under repeated small transactions. This created an opportunity for an attacker to siphon off the majority of the pools’ liquidity using very little capital.

🚨 Exploit Update: The Bunni team has completed analysis of the recent exploit. The details are available in this post mortem blog post (link in comment).

Withdrawals have been unpaused, so LPs are now free to withdraw their assets. All other operations remain paused.

— Bunni (@bunni_xyz) September 4, 2025

Flash Loan Exploit Rooted in Withdrawal Rounding Bug

Bunni said the attacker started by flash-borrowing a total of 3 million USDT. This was then used to drive up the spot price of the pool by using a series of swaps. These swaps reduced the USDC balance to only 28 wei, essentially destabilizing the liquidity at the pool. Once the pool was revealed, the attacker made 44 small withdrawals, each one taking advantage of the flawed rounding logic.

The contract logic assumed that the rounding down of active balances would protect the pool. However, the attacker used this in multiple transactions. These micro-withdrawals, although still consistent with healthy system levels, gradually decreased the amount of actual liquidity in the pool. The attacker then completed the attack by making a large swap to move prices up and then a reverse trade at the manipulated rate.

Bunni verified that this series of transactions enabled the attacker to repay the original loan while pocketing around $1.33 million in USDC and $1 million in USDT. The stolen funds were then funneled through Tornado Cash, which made them harder to trace. Although Bunni was able to trace the assets to two wallets, no further progress has been made in identifying the attacker.

Following the post-mortem release, the Bunni token price has seen a surge of 25%, pushing its price to $0.005352. Despite this latest surge, the token is down by 40% and 55% on the weekly and monthly charts, respectively.

Bunni’s Response and Fixes Moving Forward

In response, the rounding bug in the withdrawal logic was patched by Bunni quickly. The patch modified the way idle and active balances are computed for withdrawals. Blockchain security firm Cyfrin tested the update on all affected networks and proved it to be effective. Withdrawals have since been reactivated, but swaps and deposits are still on hold, with further analysis being done.

In order to recover the stolen funds, Bunni approached the attacker with a white-hat bounty offer. Under the proposal, the attacker would keep 10% of the funds, which is approximately $840,000, if the other funds are returned. At the same time, Bunni has alerted centralized exchanges and law enforcement to keep a lookout for any transfers of the stolen assets.

Interestingly, Bunni pointed out that in the attack, its largest pool on Unichain was not attacked. However, this was not the case because of superior security. The team explained that Unichain’s flash loan providers did not have enough liquidity to fund an exploit of that magnitude, which ended up protecting the pool.

The vulnerability was identified as a line of code in the function called BunniHubLogic::withdraw(). The team admitted that its testing framework was unable to detect the problem during audits. As a result, Bunni now aims to further expand its fuzz and invariant testing suite to make protocols more resilient.