The decentralized trading platform Bunni has announced the results of a significant security incident investigation – attackers exploited a rounding error vulnerability in the smart contracts to successfully execute a flash loan attack, resulting in $8.4 million in funds being stolen. The transferred funds have already been mixed through Tornado Cash, increasing the difficulty of tracking. Bunni has offered a "white hat bounty" to the attackers, willing to return 10% of the funds in exchange for the remaining amount to flow back.
Event Overview: Two Major Funds Affected
According to Bunni's post-analysis report, this vulnerability affected:
weETH/ETH trading pool on Unichain
USDC/USDT trading pool on the Ethereum mainnet
The vulnerability originates from improper handling of rounding direction when updating the idle balance of the fund pool in the BunniHubLogic::withdraw() function. Operate separately.
The logic is secure, but under multiple compound operations, it provides an opportunity for attackers.
Attack Method Breakdown: 44 Small Withdrawals Exhaust Liquidity
The Bunni report restored the attack process:
Flash Loans: The attacker obtained 3 million USDT through Flash Loans.
Price manipulation: Multiple swap transactions compressed USDC liquidity to just 28 wei.
Using rounding errors: Continuous 44 small withdrawals further reduced the USDC balance, leading to a significant decrease in the liquidity of the fund pool.
Arbitrage: Finally, through large swaps to raise the price, reverse trading is conducted at the manipulated price to extract huge profits.
Causes of Vulnerability: Implicit Risks of Rounding Direction
Bunni pointed out that the issue lies in the rounding direction handling of the idle balance update during withdrawals. Although a single calculation may not be erroneous, the error is magnified after multiple operations are compounded, ultimately creating an exploitable attack surface.
Bunni stated: "All rounding directions are safe in individual cases, but can lead to vulnerabilities when multiple operations are combined."
Response Measures and Platform Status
Vulnerability Fix: Rounding logic has been updated to prevent similar attacks.
Security verification: Blockchain security company Cyfrin conducts fork testing to confirm the security after the patch.
Function recovery: The withdrawal functions for all networks have been reopened, but functions such as recharging and swapping are still suspended.
Tracking and Collaboration: Collaborate with law enforcement agencies and centralized exchanges to attempt to freeze related fund flows.
fund tracking and bounty
Bunni has locked two wallet addresses related to the attack, but due to the funds being mixed through Tornado Cash, the attacker's identity is difficult to confirm. The platform has offered a 10% white hat bounty to the attacker in exchange for the return of the remaining funds.
Future Defense and Testing Framework Upgrade
Bunni stated that the testing framework will be fully upgraded to enhance the simulation of complex operational scenarios to prevent similar vulnerabilities from occurring again. Although correcting the rounding direction can stop the current attack, the team is still assessing whether it will introduce new potential risks.
Conclusion
This incident highlights that subtle errors in the mathematical logic of smart contracts can also lead to massive losses. For DeFi projects, security audits must not only check the correctness of individual functions but also pay attention to the interactive effects of multi-step operations. Bunni's rapid response and transparent disclosure provide valuable security cases for the industry, but at the same time remind all protocol developers – in the world of Decentralization finance, details determine life and death.
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
Bunni smart contracts rounding errors lead to $8.4 million Flash Loan attack! Details revealed, vulnerabilities have been patched.
The decentralized trading platform Bunni has announced the results of a significant security incident investigation – attackers exploited a rounding error vulnerability in the smart contracts to successfully execute a flash loan attack, resulting in $8.4 million in funds being stolen. The transferred funds have already been mixed through Tornado Cash, increasing the difficulty of tracking. Bunni has offered a "white hat bounty" to the attackers, willing to return 10% of the funds in exchange for the remaining amount to flow back.
Event Overview: Two Major Funds Affected
According to Bunni's post-analysis report, this vulnerability affected:
weETH/ETH trading pool on Unichain
USDC/USDT trading pool on the Ethereum mainnet
The vulnerability originates from improper handling of rounding direction when updating the idle balance of the fund pool in the BunniHubLogic::withdraw() function. Operate separately.
The logic is secure, but under multiple compound operations, it provides an opportunity for attackers.
Attack Method Breakdown: 44 Small Withdrawals Exhaust Liquidity
The Bunni report restored the attack process:
Flash Loans: The attacker obtained 3 million USDT through Flash Loans.
Price manipulation: Multiple swap transactions compressed USDC liquidity to just 28 wei.
Using rounding errors: Continuous 44 small withdrawals further reduced the USDC balance, leading to a significant decrease in the liquidity of the fund pool.
Arbitrage: Finally, through large swaps to raise the price, reverse trading is conducted at the manipulated price to extract huge profits.
Causes of Vulnerability: Implicit Risks of Rounding Direction
Bunni pointed out that the issue lies in the rounding direction handling of the idle balance update during withdrawals. Although a single calculation may not be erroneous, the error is magnified after multiple operations are compounded, ultimately creating an exploitable attack surface.
Bunni stated: "All rounding directions are safe in individual cases, but can lead to vulnerabilities when multiple operations are combined."
Response Measures and Platform Status
Vulnerability Fix: Rounding logic has been updated to prevent similar attacks.
Security verification: Blockchain security company Cyfrin conducts fork testing to confirm the security after the patch.
Function recovery: The withdrawal functions for all networks have been reopened, but functions such as recharging and swapping are still suspended.
Tracking and Collaboration: Collaborate with law enforcement agencies and centralized exchanges to attempt to freeze related fund flows.
fund tracking and bounty
Bunni has locked two wallet addresses related to the attack, but due to the funds being mixed through Tornado Cash, the attacker's identity is difficult to confirm. The platform has offered a 10% white hat bounty to the attacker in exchange for the return of the remaining funds.
Future Defense and Testing Framework Upgrade
Bunni stated that the testing framework will be fully upgraded to enhance the simulation of complex operational scenarios to prevent similar vulnerabilities from occurring again. Although correcting the rounding direction can stop the current attack, the team is still assessing whether it will introduce new potential risks.
Conclusion
This incident highlights that subtle errors in the mathematical logic of smart contracts can also lead to massive losses. For DeFi projects, security audits must not only check the correctness of individual functions but also pay attention to the interactive effects of multi-step operations. Bunni's rapid response and transparent disclosure provide valuable security cases for the industry, but at the same time remind all protocol developers – in the world of Decentralization finance, details determine life and death.