Bunni pointed out that the rounding error in smart contracts was the cause of the 8.4 million dollar Flash Loans vulnerability.

PANews, September 5 – According to The Block, the decentralized exchange Bunni released a post-mortem report on a vulnerability attack on Tuesday, which resulted in a loss of $8.4 million. The report noted that the attack affected two trading pools – the weETH/ETH trading pair on Unichain, and the USDC/USDT trading pair on the Ethereum Mainnet. The vulnerability originated from an issue with the rounding direction used when updating idle balances in the smart contracts, which occurred during the user withdrawal process. The attacker exploited this error to initiate a flash loan attack, manipulating the prices and liquidity of the trading pools. First, the attacker borrowed 3 million USDT through Flash Loans and conducted multiple token swaps to manipulate the price, reducing the available USDC to only 28 wei. Subsequently, the attacker exploited the rounding errors from 44 small withdrawals to further deplete the USDC balance, resulting in a significant decrease in the total liquidity of the trading pool. Finally, the attacker executed a large token swap to raise the price scale, and then performed a reverse swap at the manipulated price. Bunni stated that all rounding operations were individually checked for safety, but the combination of operations created a vulnerability. The rounding code has been updated and cross-chain withdrawals have been restored, but functions such as deposits and swaps remain suspended. The platform is cooperating with law enforcement to track the funds transferred to Tornado Cash and is offering a 10% bounty on the funds returned to the attacker. Future plans include improving the testing framework to ensure a comprehensive and secure recovery.