Loading...
**[Bunni Smart Contract Rounding Error Triggers $8.4 Million Flash Loan Attack]** Decentralized exchange Bunni has released a report detailing the flash loan attack that resulted in an $8.4 million loss. The vulnerability affected the weETH/ETH trading pair on Unichain and the USDC/USDT trading pair on the Ethereum mainnet. The issue stemmed from an error in the rounding direction when the smart contract updated idle balances, which the attacker exploited to manipulate pool prices and liquidity. The attacker initiated the exploit by taking out a flash loan of 3 million USDT, manipulating the price to drop USDC to 28 wei, and further draining USDC liquidity through 44 small withdrawals that leveraged the rounding error. Subsequently, the attacker profited by conducting large token swaps to push the price scale upward. Bunni has since fixed the rounding code and restored cross-chain withdrawal functionality, though deposits and swaps remain suspended. The platform is cooperating with law enforcement to trace the funds and has offered the attacker a 10% bounty in exchange for returning the funds. Additionally, Bunni plans to optimize its testing framework to enhance security.