Recently, Bunni V2 suffered a major exploit that resulted in the loss of $2.4M on Ethereum and $5.9M on UniChain. The attack was highly technical and exploited a precision bug in BunniHook’s custom liquidity logic, specifically in the Liquidity Distribution Function (LDF). By manipulating the calculations performed during pool rebalancing, the attacker was able to systematically drain the protocol.

Vulnerability Details

BunniHook sits as a smart contract layer on top of Uniswap V4. Instead of just using Uniswap’s built-in system for distributing liquidity, Bunni introduced its own curve — the LDF. After every swap, Bunni calls the LDF logic to determine if the curve needs adjustment, then calculates and redistributes the token balances. The critical bug was in how small, precise swaps created calculation errors that the LDF did not correct between trades.

How the Attack Worked: Step-by-Step

  • The attacker executed a sequence of swaps, each one precisely sized to make the LDF curve just cross a threshold.
  • In each “beforeSwap” hook, the protocol attempted to calculate post-swap deltas and redistribute liquidity, but rounding and precision errors crept in on each swap.
  • These tiny errors did not balance out, but instead accumulated as a net-credit to the attacker’s position. Uniswap V4’s flash accounting allowed the attacker to exploit these changes in a single transaction.
  • Once these over-credits were sufficiently large, the attacker performed a “take”/settlement operation to withdraw these inflated balances.
  • The attacker used flash loans and immediate repayments to avoid using their own capital, focusing on exploiting the bug with minimal risk.

Code and Mechanism Insights

Most hooks on Uniswap V4 including Bunni are externally executed code that interacts with pool logic through predefined interfaces like beforeSwap and afterSwap. The attacker took advantage of the LDF implementation’s lack of checks for cumulative rounding errors. The issue stemmed from custom code failing to accurately account for deltas after each swap, especially when approaching curve boundaries.

Uniswap V4 PoolManager and hooks use permission and flag checks, but there is flexibility in custom accounting logic. In Bunni’s case, the base contract did not strictly enforce uniqueness or error correction for these calculations; this oversight made it possible for the attacker to repeatedly manipulate balances using crafted input sizes.

Precision errors and rounding bugs appear in DeFi protocols frequently, especially in custom liquidity curves and hooks. If a protocol allows attackers to repeatedly interact with pool logic in such a way that small errors accumulate, those issues become much bigger during settlement.

Broader Dev and Security Lessons

This exploit highlights the danger in implementing custom, complex functions (like the LDF) in environments where precision is hard to guarantee and settlement logic is not strictly correct. Security reviews must include aggressive stress-testing for edge cases and repeated-call consistency. Carefully managing cumulative state changes in hooks is essential, especially in protocols integrated with flash loans or batch transactions.

Conclusion

The Bunni V2 exploit was made possible by custom accounting logic in the LDF that failed to accurately correct precision and rounding errors in rebalancing operations, allowing an attacker to accumulate and withdraw inflated token balances by executing multiple precise swaps.

Don’t become the next victim.
Secure your smart contracts before they get drained.
Schedule a call with us at safeedges.in

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here