Bunni protocol attributes its $8.4 million flash loan exploit to a rounding bug in smart contract withdrawals, with investigators confirming vulnerabilities while law enforcement and exchanges assist in fund recovery.
Bunni decentralized finance protocol lost $8.4 million on September 2 after a flash loan attack manipulated the weETH/ETH and USDC/USDT pools. The attacker exploited a rounding error in the withdrawal function by conducting 44 small withdrawals, reducing liquidity by over 84% before executing profitable swaps. Security firm Cyfrin confirmed the vulnerability. Bunni has offered the exploiter a 10% bounty for returning funds, notified exchanges, and engaged law enforcement. Withdrawals have since been re-enabled, though deposits and swaps remain paused. The attack left Bunni’s TVL reduced to about $50 million, down from over $80 million. The incident adds to August’s $163 million in crypto hacks and scams, including losses at Venus Protocol, BtcTurk, and several other platforms.