Decentralized exchange Bunni paused operations after an $8.4 million exploit leveraging a smart contract rounding error, impacting two pools.

Bunni Halted After $8.4 Million Exploit

Decentralized exchange Bunni halted deposits and swaps after suffering an $8.4 million exploit due to a rounding error in its smart contract, affecting the USDC/USDT pair on Ethereum and the ETH/weETH pair on Unichain.

The Exploit in Detail

Bunni identified a rounding error in the smart contract's idle balance update during withdrawals as the root cause. The attacker used a flash loan to manipulate pool prices and liquidity before exploiting the rounding error with small withdrawals. Similar rounding exploits have occurred before, such as the one on Radiant Capital in January 2024, which resulted in a $4 million loss.

The fundamental issue behind the bug lies in the rounding error within the calculation of the scaled amount in the burn function of the AToken contract.

Impact and Response

Following the exploit, Bunni paused all smart contract functions on all networks. The team is actively investigating and has offered a 10% bounty for the return of the stolen funds. The stolen funds were funneled through Tornado Cash, a crypto mixer. Bunni is collaborating with cybersecurity firms, including Cyfrin Audits, to investigate the incident.

Market Implications and Security Concerns

The exploit raises concerns about the security and reliability of DeFi protocols. The incident highlights the need for robust security measures and continuous security validation in the DeFi space. As suggested in "Web3 Security Best Practices: Complete Guide for Smart Contract Protection in 2025", the future of Web3 security lies not in reactive auditing, but in proactive, automated security validation that can replace traditional audits entirely. In 2024 alone, crypto crime cost the world $40.9 billion and is projected to reach $51+ billion by the end of the year.