Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    Strategy's Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet_
    Strategy’s Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

Bunni Reveals Code Flaw Behind $8.4 Million Exploit

The attacker exploited the rounding flaw with 44 small withdrawals, draining over 84% of the pool’s liquidity instead of evenly reducing balances.

Written By Dishita Malvania
Fact Checked by Dhara Chavda
Published 2025-09-05·Updated 10 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
Bunni Reveals Code Flaw Behind $8.4 Million Exploit

Decentralized exchange Bunni says a rounding bug in its smart contract was to blame for the $8.4 million exploit that struck earlier this week. In a post-mortem released on September 4, the team detailed how the attacker exploited the flaw to manipulate two liquidity pools and siphon off millions through a flash loan attack.

The exploit hit two pools: the weETH/ETH pair on Unichain and the USDC/USDT pair on Ethereum. 

How the Exploit Unfolded?

The attacker first flash-borrowed 3 million USDT, then carried out a series of swaps to push the pool’s spot price to an extreme level. This maneuver left the pool with only 28 wei of USDC in its active balance.

The real damage came next. The attacker carried out 44 tiny withdrawals, each one taking advantage of the contract’s rounding flaw. The assumption behind the design was that rounding would always go in a “safe” direction, rounding up the idle balance and rounding down the active one.

That logic may work for a single operation, but when repeated across multiple operations, it breaks down. By chaining withdrawals together, the attacker turned this “safe” rounding into a loophole, draining the pool’s active funds far beyond what was expected, wiping out more than 84% of its liquidity.

With the pool left exposed, the attacker made a big swap to push prices up, then quickly reversed the trade at the distorted rate to secure a large profit. Once the dust settled, the attacker walked away with roughly 1.33 million USDC and 1 million USDT, even after paying back the flash loan.

Why Some Pools Escaped?

Bunni noted that its largest pool, Unichain’s USDC/USD₮0, was left untouched, not because it was safer, but because the attacker couldn’t get the flashloan needed. According to Bunni, flash loan venues on Unichain didn’t have enough liquidity to push prices as required. In short, luck spared the pool.

The Flaw in the Code

The heart of the issue was a single assumption in Bunni’s withdrawal logic. Developers believed rounding balances down would protect the pool by making swaps more costly for traders. But when exploited repeatedly through tiny withdrawals, the opposite happened. Liquidity was understated to a dangerous degree, creating the opening for manipulation.

Bunni has since tested a fix by changing the rounding method, which neutralizes this specific attack. But the team admitted the incident exposed a gap in their testing framework and vowed to expand fuzz and invariant testing before resuming normal operations.

Next Steps and Recovery Efforts

The stolen funds are now sitting in two wallets tied to the attacker. Tracing efforts stalled after the funds were funneled through Tornado Cash, but Bunni said it has contacted the attacker with a proposal: return 90% of the stolen money and keep 10% as a “white-hat” reward. The team has also alerted centralized exchanges and engaged law enforcement.

Withdrawals have been reopened so liquidity providers can retrieve their assets, but deposits and swaps remain paused.

Despite the setback, Bunni’s six-person team insisted it would keep building. “We spent years of our lives and millions of dollars to launch Bunni, because we firmly believe it is the future of AMMs,” the team said in its closing note. “Regardless of what happens, we will continue to build Bunni and invent the future of DeFi.”

Also Read: Venus Recovers $13M After Phishing Attack Disrupts Protocol

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:Decentralized Exchange
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

Will Bitcoin Jump 10% Today as U.S. CPI Data Looms
Will Bitcoin Price Jump 10% Today as U.S. CPI Data Looms?
Ripple Launches UDAX Accelerator in Brazil for XRP Ledger Startups
Ripple Launches UDAX Accelerator in Brazil for XRP Ledger Startups
Strategy's Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet_
Strategy’s Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet
78 Bank Groups Pressure Senate on CLARITY Act Section 404 Stablecoin Yields
78 Bank Groups Pressure Senate on CLARITY Act Section 404 Stablecoin Yields
Trump’s Thursday Primetime Speech Iran Escalation Puts Crypto on Alert 
Trump’s Thursday Primetime Address: Iran Escalation Puts Crypto on High Alert

Find Us on Socials

You may also like

Lumi Finance Drained of $270K on Arbitrum via Smart Account Exploit

Lumi Finance Drained of $270K on Arbitrum via Smart Account Exploit

Aave Picks Chainlink CCIP to Power Upcoming Multi-Chain App

Aave Picks Chainlink CCIP to Power Upcoming Multi-Chain App

BonkDAO Updates Community After $20M Treasury Governance Incident

BonkDAO Updates Community After $20M Treasury Governance Incident

PHX-WBNB Liquidity Pool Drained of Nearly $90K in BNB Chain Exploit

PHX-WBNB Liquidity Pool Drained of Nearly $90K in BNB Chain Exploit

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information