A quiet Tuesday morning in the decentralized finance world turned anything but for Bunni, a platform many users trusted. Suddenly, $8.4 million vanished. It wasn’t a grand, brute-force attack, but something far more subtle, a flaw hiding in plain sight.
- Bunni experienced an $8.4 million loss due to a smart contract rounding error, not a direct hack. This subtle flaw in how the system updated “idle balances” during withdrawals was exploited.
- An attacker used a flash loan to manipulate asset prices within a liquidity pool, then executed numerous small withdrawals that exploited the rounding error. This caused a disproportionate drop in liquidity, allowing for a profitable final swap.
- Bunni has fixed the rounding code and resumed withdrawals after security testing, but other functions remain paused as they assess potential new vulnerabilities. The stolen funds were traced to Tornado Cash, and Bunni is offering a bounty for their return while also engaging law enforcement.
The culprit, Bunni’s post-mortem report revealed, was a smart contract rounding error. Think of it like a tiny, almost imperceptible glitch in a digital calculator. Over time, these small miscalculations can add up to a very big problem.
This particular error surfaced during withdrawals. It affected how the system updated “idle balances” within its liquidity pools (those shared pots of tokens where traders swap assets). A small rounding choice, seemingly harmless, became the key.
Bunni’s report put it plainly: “The key to the exploit was the erroneous liquidity decrease resulting from the tiny withdrawals.” A specific line of code in BunniHubLogic::withdraw() was identified as the weak link.
The attacker, with a keen eye for such vulnerabilities, launched a flash loan attack. This is a clever maneuver where a large sum of crypto is borrowed and repaid within a single blockchain transaction, all without needing collateral.
First, they borrowed 3 million USDT. With this substantial sum, they began manipulating the market. Multiple swaps were executed, designed to distort the price of assets within one of Bunni’s pools.
This initial manipulation drove the available USDC in the affected pool down dramatically. It left a mere 28 wei (an incredibly tiny fraction of a dollar) in the balance, setting the stage for the next phase.
Then came the truly ingenious part: 44 small withdrawals. Each of these tiny transactions exploited the rounding error. It was like siphoning off minuscule amounts, but doing it repeatedly, causing a disproportionate drop in the pool’s total liquidity.
With the pool’s dynamics completely skewed, the attacker made a large final swap. This inflated the price tick, creating an artificial peak. They then performed a reverse swap at this manipulated, inflated price.
The difference between the true market price and the manipulated price became the attacker’s profit. It was a calculated, multi-step process that leveraged a seemingly insignificant mathematical quirk.
Bunni reflected on the incident, stating, “To summarize, all of the rounding directions involved were safe in isolation, but when multiple operations are involved they led to an exploit.” It highlights how complex interactions can create unexpected weaknesses.
The platform acted swiftly. They updated the rounding code, aiming to fix the vulnerability. It’s a bit like patching a small hole in a very large, intricate ship.
Following fork testing by blockchain security firm Cyfrin, Bunni has cautiously resumed withdrawals across all its networks. This step offers some relief to users who needed access to their funds.
However, other core functions remain paused. Deposits, swaps, and other operations are still offline. Bunni is taking its time, understanding the full scope of the problem before a complete reopening.
“We are still exploring what fixes are needed to make Bunni secure again,” the platform admitted. There’s a genuine concern that changing one part of the code might inadvertently introduce new attack vectors.
The hunt for the stolen funds began immediately. Bunni’s team traced the assets to two specific wallets. But the trail, as it often does in these cases, led to Tornado Cash, a crypto mixer.
Tornado Cash makes it incredibly difficult to follow the money, obscuring the path of funds and protecting the identity of those who use it. This is a familiar roadblock for investigators in the crypto space.
Bunni is pursuing a dual strategy. They’ve offered the attacker a 10% bounty if the remaining funds are returned. It’s a pragmatic approach, sometimes effective in recovering assets.
At the same time, they are working with law enforcement agencies. They have also requested that centralized exchanges freeze any accounts linked to the stolen funds, hoping to block further movement.
Looking ahead, Bunni plans to further develop its testing framework. This incident serves as a stark reminder that even the smallest lines of code in decentralized finance carry immense weight and responsibility.
The episode underscores a critical lesson for the entire DeFi ecosystem. The interaction of multiple, individually safe operations can sometimes create an unforeseen vulnerability. It’s a constant, high-stakes game of digital chess.
