- Trending
- Comments
- Latest
Decentralized finance protocol Bunni has confirmed it lost $8.4 million on September 2 in what is now being described as the Bunni flash-loan exploit. The attacker executed a complex strategy that targeted liquidity pools on Ethereum and Unichain, manipulating prices and exploiting a flaw in the protocol’s smart contract logic.
The exploit began when the attacker borrowed 3 million USDT through a flash loan, using it to distort the USDC/USDT pool’s spot price. With the pool’s balance pushed to extreme levels, they initiated 44 micro-withdrawals that exposed a rounding error in Bunni’s code. This sequence drained liquidity by more than 80%, leaving the pools vulnerable to further manipulation.
Blockchain security firm Cyfrin later confirmed that the bug stemmed from how the protocol rounded balances during withdrawals. While designed as a conservative safeguard, the rounding mechanism created conditions that could be repeatedly exploited.
“This was a textbook case of how small coding oversights in DeFi can escalate into multimillion-dollar losses when paired with flash-loan strategies,” — Cyfrin analyst, in a report following the Bunni flash-loan exploit.
The Bunni flash-loan exploit ultimately netted the attacker around 1.33 million USDC and 1 million USDT, with stolen assets now spread across two wallets. Investigators tracked the funds but reached a dead end after discovering that the wallets were initially funded through Tornado Cash, a sanctioned privacy tool.
Bunni’s largest pool, the Unichain USDC/USD₮0 pair, escaped the attack. Analysts suggest the only reason it remained safe was the absence of sufficient flash-loan liquidity to mount a comparable assault. Exploiting that pool would have required $17 million in borrowed assets, but only $11 million was accessible at the time.
In response, Bunni has contacted the attacker directly on-chain, offering a 10% bounty if the funds are returned. Centralized exchanges have also been alerted in case the exploiter attempts to convert the stolen tokens.
“While we are engaging law enforcement and security partners, our first step is to negotiate recovery directly,” — Bunni development team, in its official statement on the Bunni flash-loan exploit.
Operations on Bunni were paused immediately after the breach, with deposits and swaps frozen as a precaution. Withdrawals were later reopened to allow liquidity providers to reclaim their remaining assets. Developers announced that the immediate fix involved altering the rounding direction in the affected function, neutralizing the exploit vector.
However, the team acknowledged that more extensive testing and upgrades will be needed before the platform fully resumes. The exploit highlighted how new DeFi designs, such as Bunni’s Liquidity Density Functions (LDFs), require heightened scrutiny before being deployed at scale.
“We spent years building Bunni because we believe it represents the future of automated market makers,” — Bunni team statement. “This setback is painful, but it strengthens our resolve to improve security, testing, and resilience.”
At its peak, Bunni held over $80 million in total value locked (TVL). Following the Bunni flash-loan exploit, that figure has dropped to just above $50 million.
The Bunni flash-loan exploit is the latest in a series of high-profile incidents undermining confidence in decentralized finance. According to blockchain security firm PeckShield, more than $163 million was stolen across 16 major attacks in August alone, making it the third-worst month for crypto security in 2025.
Recent incidents include a $13.5 million phishing scam targeting a Venus Protocol user, a $91 million social engineering theft involving 783 BTC, and a $54 million hot wallet breach at Turkish exchange BtcTurk.
Security experts warn that both technical flaws, like those behind the Bunni flash-loan exploit, and human-driven schemes such as phishing will continue to challenge the sector. With DeFi protocols growing in complexity, the pressure is mounting on developers to adopt rigorous security audits and on regulators to consider oversight mechanisms.
“The lesson from the Bunni flash-loan exploit and others is clear: innovation must be matched with robust safeguards, or the risks will overshadow the potential,” — PeckShield spokesperson, in a statement on industry-wide vulnerabilities.
Copyright © 2025 - The Bit Gazette.
