PANews reported on September 5th that, according to The Block, the decentralized exchange Bunni released a review report on Tuesday regarding a vulnerability attack that resulted in $8.4 million in losses. The report stated that the attack affected two trading pools: the weETH/ETH trading pair on Unichain and the USDC/USDT trading pair on the Ethereum mainnet. The vulnerability stemmed from an issue with the rounding direction used when updating idle balances in the smart contract, which occurred during user withdrawals. The attacker exploited this error to launch a flash loan attack, manipulating prices and liquidity in the trading pools.

First, the attacker borrowed 3 million USDT through a flash loan and performed multiple token swaps to manipulate the price, reducing the available USDC to just 28 wei. The attacker then exploited rounding errors in 44 small withdrawals to further deplete the USDC balance, significantly reducing the total liquidity of the trading pool. Finally, the attacker executed a large token swap to inflate the price, then reversed the swap at the manipulated price. Bunni stated that all rounding operations tested secure individually, but combined they created a vulnerability. The rounding code has been updated and cross-chain withdrawals have been restored, but deposits, swaps, and other functions remain suspended. The platform is working with law enforcement to trace the funds transferred to Tornado Cash and is offering a 10% return bounty to the attacker. Future improvements to the testing framework will ensure a comprehensive and secure recovery.