Security Breach at Bunni
On September 2, the decentralized finance platform Bunni experienced a significant security breach, with losses amounting to $8.4 million stemming from an exploit that involved a flash loan. The sophisticated attack manipulated liquidity pools of weETH/ETH and USDC/USDT on Ethereum and Unichain, exploiting a programming flaw related to rounding errors in the protocol’s smart contract.
Details of the Exploit
Bunni’s internal review identified the exploit as a process carried out in three distinct phases. Initially, the attacker secured a flash loan of 3 million USDT, which they used to distort the spot price of the USDC/USDT liquidity pool to extreme levels. This action drastically reduced the pool’s USDC holdings to a mere 28 wei, allowing the perpetrator to perform 44 small withdrawals. This series of withdrawals took advantage of the rounding error in Bunni’s code, which led to a staggering 84% drop in the pool’s liquidity.
With the liquidity levels manipulated, the attacker then proceeded to execute a sandwich attack, carrying out substantial swaps that inflated prices beyond their normal value. By reversing the earlier liquidity suppression, they profited significantly before repaying the initial flash loan, ultimately making away with around 1.33 million USDC and 1 million USDT.
Vulnerability and Response
Blockchain security experts at Cyfrin confirmed that the vulnerability arose from the manner in which Bunni’s smart contract handled rounding during withdrawals. The design was intended to strengthen liquidity safety but inadvertently created conditions ripe for exploitation during successive small withdrawals.
Importantly, Bunni reported that its largest liquidity pool on Unichain, the USDC/USD₮0 pair, was not exploited, as the needed liquidity for a potential attack exceeded the available funds at the time. The attacker would have required around $17 million to exploit that particular pool, but only $11 million was accessible from lending platforms.
After tracing the stolen assets, investigators noted that they were now residing in two wallets associated with the attacker, which were funded through Tornado Cash, a privacy-enhancing tool currently under sanctions. In a proactive approach, Bunni reached out to the perpetrator directly through on-chain communication, offering a 10% bounty in exchange for returning the lost assets. They have also informed centralized exchanges to halt any trading of the stolen funds and are collaborating with law enforcement to pursue recovery efforts.
Operational Changes and Future Plans
Following the exploit, Bunni temporarily halted all operations. However, they have since resumed withdrawals to allow liquidity providers to retrieve their deposits, although deposits and swaps remain inactive while developers address the identified vulnerabilities. The team is modifying the rounding function to eliminate this particular exploit vector, yet they acknowledged that comprehensive testing and enhanced security measures are essential before a complete reopening of services.
Despite these setbacks, the six-member team behind Bunni remains committed to its mission, emphasizing that the protocol encompasses innovative concepts such as Liquidity Density Functions (LDFs), which they tout as a new paradigm in automated market makers.
“We dedicated years to developing Bunni, believing it represents the future of AMMs,”
the team stated, promising to enhance their code and testing protocols to prevent future incidents.
Broader Context of Cybersecurity in Cryptocurrency
The impact of this exploit coincided with a troubling trend in the cryptocurrency sector, as August marked a record for cyber crimes, resulting in $163 million lost to various hacks and scams. Just a day before Bunni’s incident, a user of Venus Protocol suffered a $13.5 million loss due to a phishing scam, highlighting the ongoing vulnerabilities in the industry and the critical importance of security measures. Overall, the escalating breaches serve as a stark reminder of both the technical weaknesses and human errors that continue to challenge the crypto landscape, contributing to a climate of insecurity.
