Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / CryptotimesIO /
Bunni Exposes Critical Code Flaw Behind $8.4 Million Crypto Exploit

Bunni Exposes Critical Code Flaw Behind $8.4 Million Crypto Exploit

Author:
CryptotimesIO
Published:
2025-09-05 02:45:33
9
2

Another day, another DeFi hack—but this time with a twist. Bunni just pulled back the curtain on the exact coding vulnerability that let attackers walk away with $8.4 million. No jargon, no spin—just the raw breakdown of how it happened.

How the exploit unfolded:

The weakness wasn’t in some obscure, overlooked function. It was right in the core logic. A misconfigured fee mechanism allowed the attacker to repeatedly drain liquidity without triggering standard safeguards. Think of it as a revolving door for digital cash—only one person knew how to spin it.

Why this matters beyond the $8.4 million:

Smart contract risk remains the elephant in the room—especially when projects race to launch without sufficient audits. It’s almost like some teams treat security like a regulatory checkbox rather than a foundational feature. And in crypto, where “move fast and break things” can mean “move fast and lose millions,” that attitude is… expensive.

Bunni’s response? Full transparency. They’ve detailed the flaw, patched it, and are working with exchanges and white-hat communities to prevent replay attacks. No sugarcoating, no corporate fluff—just a public post-mortem and a sharper focus on hardening their system.

So next time someone tells you “code is law,” maybe ask: “Yeah, but who’s reading the fine print?”

How the Exploit Unfolded

The attacker first flash-borrowed 3 million USDT, then carried out a series of swaps to push the pool’s spot price to an extreme level. This maneuver left the pool with only 28 wei of USDC in its active balance.

The real damage came next. The attacker carried out 44 tiny withdrawals, each one taking advantage of the contract’s rounding flaw. The assumption behind the design was that rounding WOULD always go in a “safe” direction, rounding up the idle balance and rounding down the active one.

That logic may work for a single operation, but when repeated across multiple operations, it breaks down. By chaining withdrawals together, the attacker turned this “safe” rounding into a loophole, draining the pool’s active funds far beyond what was expected, wiping out more than 84% of its liquidity.

With the pool left exposed, the attacker made a big swap to push prices up, then quickly reversed the trade at the distorted rate to secure a large profit. Once the dust settled, the attacker walked away with roughly 1.33 million USDC and 1 million USDT, even after paying back the flash loan.

Why Some Pools Escaped

Bunni noted that its largest pool, Unichain’s USDC/USD₮0, was left untouched, not because it was safer, but because the attacker couldn’t get the firepower needed. According to Bunni, flash loan venues on Unichain didn’t have enough liquidity to push prices as required. In short, luck spared the pool.

The Flaw in the Code

The heart of the issue was a single assumption in Bunni’s withdrawal logic. Developers believed rounding balances down would protect the pool by making swaps more costly for traders. But when exploited repeatedly through tiny withdrawals, the opposite happened. Liquidity was understated to a dangerous degree, creating the opening for manipulation.

Bunni has since tested a fix by changing the rounding method, which neutralizes this specific attack. But the team admitted the incident exposed a gap in their testing framework and vowed to expand fuzz and invariant testing before resuming normal operations.

Next Steps and Recovery Efforts

The stolen funds are now sitting in two wallets tied to the attacker. Tracing efforts stalled after the funds were funneled through Tornado Cash, but Bunni said it has contacted the attacker with a proposal: return 90% of the stolen money and keep 10% as a “white-hat” reward. The team has also alerted centralized exchanges and engaged law enforcement.

Withdrawals have been reopened so liquidity providers can retrieve their assets, but deposits and swaps remain paused.

Despite the setback, Bunni’s six-person team insisted it would keep building. “We spent years of our lives and millions of dollars to launch Bunni, because we firmly believe it is the future of AMMs,” the team said in its closing note. “Regardless of what happens, we will continue to build Bunni and invent the future of DeFi.”

Also Read: Venus Recovers $13M After Phishing Attack Disrupts Protocol

    

Google News

Mobile Only Image

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved