Bunni Hack

On September 2, 2025, Bunni—a Uniswap v4 hook-based DEX optimizing LP yields via custom Liquidity Distribution Function (LDF)—lost $8.4M ($2.4M ETH, $5.9M UniChain) in a precision rounding exploit on BunniHubLogic.withdraw, where attackers flash-loaned 3M USDT (ETH)/2k WETH (UniChain) from Uniswap/Morpho, executed sized swaps via PoolManager to manipulate LDF rebalancing, and chained 44 micro-withdrawals rounding idle balances down (e.g., 28 to 4 wei USDC, -85.7% despite -84.4% liquidity)—flipping totalLiquidityEstimate0/1 for sandwichable spikes (1 USDC=2.77e36, +16.8% liquidity)—draining USDC/USDT/WETH before repaying loans and depositing to Aave (ETH)/bridging via Across (UniChain). PeckShield/CertiK/BlockSec flagged; Bunni paused all contracts, urged LP withdrawals, offered 10% bounty (~$840k) for returns, and investigated with Euler (unaffected). Amid August’s $163M hacks (15% MoM rise), this LDF flaw—post-audit oversight—exposes v4 hooks’ risks, urging rounding-invariant tests, whitelisted rebalances, and fuzzing to avert $8.4M manipulations in emerging DEXes.