Sign in Subscribe
Vulnerabilities

Bunni V2 Hack: $8M Drained in Precision Liquidity Exploit – Report & Insights

Bunni V2 Hack: $8M Drained in Precision Liquidity Exploit – Report & Insights

Source: Bunni V2 Exploit Drains $8.3M via Liquidity Flaw - QuillAudits

On September 2, 2025, the Bunni V2 protocol suffered a critical exploit, losing $8.3 million across Ethereum and UniChain networks. This attack targeted a subtle precision bug in BunniHook’s liquidity accounting, allowing the attacker to drain funds from liquidity pools on both chains.

What Happened?

  • The attacker exploited BunniHook’s Liquidity Distribution Function (LDF)-a custom liquidity curve built on top of Uniswap V4.
  • Bunni V2 uses the LDF to monitor changes after each trade and rebalance liquidity pools accordingly.
  • A precision error during these rebalancing calculations caused misestimated token amounts.
  • Carefully crafted swaps exploited this bug by repeatedly manipulating LDF thresholds, amplifying rounding errors and inflating the attacker’s token balance.

How the Hack Unfolded

  • On Ethereum:
    • The attacker took a 3M USDT flash loan from Uniswap V3.
    • Executed a series of precise swaps on USDC/USDT pools via Uniswap V4's PoolManager, triggering the faulty LDF logic.
    • Miscalculations resulted in a net positive token balance for the attacker within one transaction.
    • After compounding these errors, the attacker withdrew the inflated funds and repaid the flash loan, laundering stolen assets into Aave.
  • On UniChain:
    • A similar approach involved a 2000 WETH flash loan from Morpho.
    • Extracted 1366 WETH using the same flaw, then bridged the stolen funds back to Ethereum through the Across protocol.

Root Cause

  • The core issue lies in precision errors during swap rebalancing in the Liquidity Distribution Function.
  • These small miscalculations didn’t offset but accumulated as a credit, exploited through repeated threshold-crossing trades.
  • This flaw led to the systematic over-crediting and withdrawal of tokens from liquidity pools.

Impact & Response

  • Total losses: $8.3M+ combined on Ethereum and UniChain.
  • Currently, $2.2M remains in the attacker’s wallet, with over 1366 ETH bridged to Ethereum.
  • The Bunni team quickly halted withdrawals across all chains to contain damage.
  • They also publicly offered the attacker a 10% bounty to encourage responsible disclosure.

Lessons & Recommendations

This incident underscores the risks of adding complex, custom liquidity logic on top of established protocols. Minor precision bugs can lead to major financial loss when exploited at scale.

  • Rigorous auditing of custom hooks and liquidity accounting mechanisms is essential.
  • Stress-testing for rounding issues and edge-case scenarios helps catch hidden bugs early.
  • Protocols should have emergency pause mechanisms ready for swift response.