Bunni: Precision/Rounding Error in Custom Liquidity Distribution Function (LDF)
Bunni's custom Liquidity Distribution Function — its key innovation over standard Uniswap math — was gamed with precisely sized trades to produce rounding errors that let an attacker drain $8.4M from two pools while leaving behind 1,000+ self-incriminating transaction logs.
Summary #
Bunni suffered a DEX / Liquidity Management (Uniswap V4 Hook) on 2025-09-01, resulting in a loss of approximately $8M.
What happened #
Bunni's custom Liquidity Distribution Function — its key innovation over standard Uniswap math — was gamed with precisely sized trades to produce rounding errors that let an attacker drain $8.4M from two pools while leaving behind 1,000+ self-incriminating transaction logs.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — codebase continuously evolving; changes made during and after multiple audit windows]
- RD-F-009 — related : Formal verification coverage — would have caught [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
- RD-F-024 — causal : Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
- RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: ~Several months; TVL explosion July 31–Aug 1 2025 (weeks before exploit)]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Abnormally small token balances in pools (25 wei); repeated cyclical deposit/withdrawal patterns; 1,000+ transaction logs from single addres...]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Not anonymous; public team]