In September 2025, Bunni, a decentralized exchange (DEX) based on Uniswap v4, was the victim of an $8.4 million hack. The attackers performed a flashloan attack to exploit the protocol across the Ethereum and UniChain blockchains.
Inside the Attack
The attacker exploited vulnerabilities in the protocol’s weETH/ETH pool on Unichain and USDC/UDST pool on Ethereum. In both cases, the attack began with a flashloan and then made multiple, carefully crafted swaps from one token to another. For example, in the Ethereum pool, they borrowed USDT and swapped from USDT to USDC, changing the spot price tick of the pool and decreasing the amount of USDC left in the pool.
Next, the attacker exploited rounding errors in the pool to further decrease the amount of value left in the pool while disproportionately decreasing liquidity. For example, the USDT/USDC pool had 28 wei left before the attack and was lowered to 4 wei, an 85.7% decrease. However, liquidity was decreased by 84.4%. This was possible because the withdraw function was intended to round the idle balance down, but unintentionally did the opposite.
Then, the attacker performed a sandwich attack on the pool, swapping USDT to USDC and dramatically elevating the spot price tick of the pool. This swap changed the tick so that 1 USDC equaled 2.77e36 USDC and increased liquidity by 16.8%.
The effects of this swap allowed the attacker to extract value from the pool. They performed another swap at the inflated price, draining value and extracting a profit even after repaying the flashloan.
Lessons Learned from the Attack
The Bunni hack was made possible by a rounding error within the protocol’s withdraw function. The developers believed that rounding a key value down would cause the idle balance to increase; however, the opposite occurred.
As a result, an attacker was able to carefully manipulate the pool to withdraw a disproportionate number of tokens from the pool while burning less liquidity. By unbalancing the pool, they were able to create the conditions needed to make massive withdrawals, resulting in over $8 million in losses across two pools.
This incident demonstrates the importance of comprehensive testing of smart contract code before deployment on-chain. If the unintended effects of the rounding error were identified and addressed during a smart contract audit, the attacker couldn’t have performed this exploit. To learn more about protecting your code against similar attacks, get in touch with Halborn.