Business Sandesh Indian Newspaper | Articles | Opinion Pieces | Research Studies | Findings & News | Sandesh News
Decentralized finance (DeFi) platform Bunni suffered an $8.4 million hack due to a flash-loan exploit targeting a rounding error in its smart contracts, according to CryptoQuant. The attacker manipulated liquidity pools on Ethereum and Unichain, draining $1.33 million in USDC and $1 million in USDT from the weETH/ETH and USDC/USDT pools. Bunni’s post-mortem revealed the flaw stemmed from a rounding error in the smart contract’s liquidity calculations, enabling the attacker to exploit tiny withdrawals to disproportionately reduce pool liquidity by 84%.
Using a flash loan of 3 million USDT, the attacker skewed the USDC/USDT pool’s price, executed 44 small withdrawals, and performed a sandwich attack to extract profits. The stolen funds, traced to two wallets via Tornado Cash, remain unrecovered despite Bunni offering a 10% bounty for their return. The platform paused operations but has since resumed withdrawals, urging users to secure assets. Blockchain security firm Cyfrin confirmed the vulnerability, noting it was not caught in prior audits by Trail of Bits.
This incident, the first major DeFi exploit of September 2025, follows August’s $163 million in crypto losses. It highlights the risks of flash loans, which amplify coding errors, and underscores the need for rigorous smart contract audits. Bunni, built on Uniswap V4, saw its total value locked drop from $80 million to $50 million. As DeFi grows, platforms must prioritize robust security to protect users, while investors should remain cautious of such vulnerabilities.
