Uniswap "pegged" exchange Bunni hacked, losing over $8.4 million

ChainCatcher news, another security incident has occurred in the decentralized finance (DeFi) sector. The exchange Bunni, built on Uniswap, has been hacked, resulting in a loss of $8.4 million. According to the official Bunni website, the application aims to "maximize the profits of liquidity providers under all market conditions," but today's loss is contrary to that goal.

Previously, according to the crypto security auditing firm BlockSec Phalcon (@Phalconxyz), a suspicious transaction targeting the Bunni protocol (@bunnixyz) contract was detected on the Ethereum network, causing a loss of approximately $2.3 million. About two hours later, the Bunni team acknowledged the incident and suspended their contracts across all networks. Subsequently, more auditing firms got involved in the investigation and found that in addition to the $2.3 million loss on the Ethereum network, there was also a loss of $6 million on the Unichain network, bringing the total loss to $8.4 million.

The attack appears to be related to a precision vulnerability in the platform's "liquidity allocation function" curve. The hacker manipulated this function through carefully designed transaction sizes, leading to errors in the rebalancing calculations, which incorrectly computed the shares each liquidity provider should hold. The hacker repeated this process to extract excess LP tokens, draining Bunni's liquidity pool.

Although Bunni's codebase had been audited by well-known security firms such as Trail of Bits and Cyfrin, and there were "serious" issues reported, it remains unclear whether this attack fell within the scope of those audit reports.