The decentralized exchange ecosystem suffered a significant blow on September 4, 2025, as Bunni, a Uniswap v4-based DEX, fell victim to an $8.4 million flash-loan exploit. The attack targeted BunniHub, the platform’s core smart-contract infrastructure, exploiting a subtle rounding error in the protocol’s liquidity pool mathematics. Blockchain security firm CertiK traced the stolen funds to two Ethereum addresses within minutes of the breach, marking one of the most technically sophisticated DeFi exploits of the quarter.
The Exploit Mechanics
The attacker executed a carefully orchestrated three-step process that exposed a critical vulnerability in Bunni’s custom liquidity logic. First, the exploiter flash-borrowed 3 million USDT from a lending protocol, creating the capital necessary to manipulate pool pricing at scale. Flash loans, a DeFi primitive that allows borrowing without collateral as long as funds are returned within the same transaction block, have long been a double-edged sword — enabling complex arbitrage and liquidation strategies while simultaneously providing attackers with risk-free capital for exploitation.
In the second phase, the attacker executed multiple swaps between USDT and USDC through Bunni’s liquidity pools, deliberately pushing the pools into a state where the rounding error in the withdrawal calculation became exploitable. The protocol’s custom liquidity distribution functions, which were designed to provide more granular control over concentrated liquidity positions, contained a mathematical flaw that failed to properly account for precision loss during large-volume operations.
The final phase involved conducting numerous small withdrawals before completing a sandwich attack that manipulated pool pricing back to favorable levels. Each small withdrawal harvested slightly more tokens than mathematically justified, with the cumulative effect across hundreds of transactions generating the $8.4 million in extracted value. The attacker then repaid the flash loan within the same atomic transaction, walking away with the net profit.
Affected Systems
The exploit affected BunniHub deployments on both Ethereum mainnet and Unichain, Bunni’s application-specific chain. All liquidity pools utilizing Bunni’s custom concentrated liquidity mathematics were vulnerable, though the attacker primarily targeted USDT/USDC stablecoin pools where the rounding error proved most profitable. Bitcoin traded at approximately $110,700 and Ethereum at $4,298 at the time of the attack, providing the broader market context in which this exploit unfolded.
CertiK’s on-chain analysis revealed that the attacker had been probing Bunni’s contracts for several days prior to the main exploit, executing small test transactions to validate the rounding error’s exploitability. This reconnaissance phase suggests a sophisticated actor with deep understanding of automated market maker mathematics and Solidity precision handling.
The Mitigation Strategy
Bunni’s immediate response was to pause all protocol operations while the team conducted a comprehensive post-mortem. However, the financial damage proved insurmountable. The team stated that relaunching would require six to seven figures in security audit costs alone, compounded by months of development work and business development efforts to restore operational capacity. These resource requirements exceeded their current capabilities.
The protocol sent an on-chain message to the attacker offering 10% of the stolen funds — approximately $840,000 — in exchange for returning the remaining $7.56 million. This standard white-hat negotiation tactic received no response from the responsible party. Law enforcement cooperation remains active as Bunni works to track the exploiter through conventional channels.
Lessons Learned
The Bunni exploit reinforces several critical security principles for DeFi protocols. Custom liquidity logic demands exhaustive testing, particularly around edge cases involving precision arithmetic and rounding behavior. Kadan Stadelmann, CTO of Komodo Platform, emphasized that flash loans create low-risk exploitation opportunities when protocols lack comprehensive security validation across all smart contract functions. Protocol developers must treat every mathematical operation as a potential attack surface, especially in concentrated liquidity implementations where small errors compound across large positions.
The incident also highlights the growing sophistication of DeFi attackers. The multi-day reconnaissance, the precise calibration of swap volumes to trigger the rounding error, and the systematic withdrawal strategy all point to an actor with institutional-grade capabilities. With over $2 billion stolen from digital asset platforms in 2025 according to Elliptic data, the threat landscape continues to intensify.
User Action Required
Users who held positions in Bunni pools should immediately check their wallet balances and claim any remaining withdrawable assets through the platform’s website, which remains operational for withdrawals. Remaining protocol treasury funds will be distributed to BUNNI, LIT, and veBUNNI token holders through a snapshot mechanism, with team members excluded from the payout structure pending compliance verification. In a positive development for the broader ecosystem, Bunni has relicensed its v2 smart contracts from BUSL to MIT licensing, allowing developers to learn from and build upon the protocol’s innovations in liquidity distribution functions, surge fees, and automated rebalancing.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
3M USDT flash borrowed and the protocol had no circuit breaker for pool manipulation. basic rate limiting would have caught this instantly
The rounding error exploit on Bunni DEX is honestly a masterclass in how small vulnerabilities can lead to massive losses in DeFi. 8.4 million dollars is a staggering amount for what essentially boils down to a decimal point oversight in the Uniswap v4 hook logic. It really highlights why the complexity of these new protocol architectures requires even more intensive formal verification than we’ve seen in previous cycles. Devs really need to be careful with their math!
decimal point oversight is generous. this was a known class of vulnerability in concentrated liquidity math. uniswap v4 hooks add complexity but the fundamental issue is the same
Priya Mehta concentrated liquidity rounding errors are a known class. uniswap v4 hooks multiply the attack surface because custom logic can introduce its own precision loss on top
exactly this. v4 hooks let devs write custom math that auditors barely understand. attack surface grows with every new hook deployment
Yet another flash-loan exploit, and this time it hits Bunni. It’s getting harder to justify the risks of yield farming when these rounding errors can just drain everything in a single transaction. I appreciate the deep dive into the ‘anatomy’ of the hack, but it’s still pretty scary to see how easily these things happen. Skepticism is definitely my default state right now until we see better security standards across the board.
youre not wrong to be skeptical but flash loans are a feature not a bug. the problem is protocols not accounting for them in their math. blame the devs not the tool
I’ve been following the Bunni project for a while, so seeing this 8.4 million dollar hit is super disappointing. This article does a great job explaining the technical side of the flash-loan mechanism and how it interacted with that specific rounding error. As someone still learning the ropes of smart contract security, this is a huge eye-opener on the importance of testing for every possible edge case. I hope the protocol can find a way to pivot and recover from this blow.
flash borrowed 3M USDT then pushed pools into an exploitable state through swaps. the attacker understood the math better than the auditors. 8.4M for a rounding error