Uniswap ‘hook’ Bunni hacked for over $8M after precision bug exploited

The decentralized finance (DeFi) minefield claimed its latest victim this morning as Bunni, an exchange built on top of Uniswap, was exploited for a reported $8.4 million.
According to the Bunni website, the app “maximizes liquidity provider profits in all market conditions.” Today’s losses suggest otherwise.
Approximately two hours after crypto security audit firm BlockSec raised the alarm over the suspicious transactions, the Bunni team acknowledged the incident and paused its contracts across all networks.
Read more: CoinDCX hack: $44M gone after dev opens file from side gig
BlockSec had initially flagged losses of around $2.3 million on Ethereum but, when more audit firms looked into the incident, the total quickly grew on other networks.
Hacken identified a further $6 million on Unichain, Uniswap’s own network, bringing the total to $8.4 million.
The stolen funds remain in two addresses, which contain the proceeds from the attacks on Ethereum and Unichain, respectively.
Bunni attack all about precision
The exploit appears to be related to a precision bug in the platform’s “liquidity distribution function” curve, according to KyberSwap CEO and co-founder Victor Tran’s analysis.
The bug allowed the hacker to “manipulate this LDF by making trades of very specific sizes.”
The trades “caused the rebalancing calculation to break, giving wrong results for how much each [liquidity provider] share should own.”
The hacker repeated the process, withdrawing excess LP tokens and draining Bunni’s liquidity pools.
Helpfully, for those deciphering the cause of the exploit, the hacker had left over 1,000 logs of events within the attack transaction, with comments such as “Depositing to euler” and “Unlock Callback.”
Bunni’s codebase had been audited by well-respected security firms including Trail of Bits and Cyfrin, with “critical” findings in many of the reports.
At the time of writing, it remains unclear whether today’s exploit falls under the scope of these audit reports.
In response to the hack, Euler’s co-founder Michael Bentley was keen to point out that “Bunni rebalances funds in/out of Euler but Euler is not affected or at risk.”
The $1.5 billion DeFi lending giant was itself hacked in March 2023 for around $200 million, its entire holdings at the time.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.