Skip to content

Bunni V2 Exploit $8.3M Drained via Liquidity Flaw #1381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Bunni V2 Exploit $8.3M Drained via Liquidity Flaw #1381

wants to merge 2 commits into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Bunni V2 Exploit Technical Summary

Incident — September 2, 2025

Bunni V2, a Uniswap v4 hook–based protocol, was exploited for approximately $8.3M total ($2.4M on Ethereum and $5.9M on UniChain). The attacker abused a precision/rounding bug in BunniHook’s Liquidity Distribution Function (LDF) that mis-accounted liquidity during swap-triggered rebalancing, allowing withd...

🔧 Technical Details

Threshold‑crossing precision abuse in DEX hooks: When a DEX integrates a custom rebalancing function (e.g., an LDF in a Uniswap v4 hook), craft exact‑input swaps calibrated to cross internal rebalancing thresholds. Precision/rounding errors in the hook’s accounting can accumulate as positive credits rather than cancel out. Loop swaps to build the credit, then withdraw the inflated balance to realize the gain.

Flash‑loan amplification and exit: Use large flash loans to run many threshold‑crossing swaps in one atomic transaction, ensuring loan repayment from the inflated withdrawal. Where the hook is deployed on multiple chains, repeat the pattern cross‑chain and bridge proceeds back. Optionally route funds through lending protocols (e.g., Aave) to obtain synthetic assets.

🤖 Agent Actions

Analysis and plan:

  • There is currently no DeFi/AMM exploitation coverage in HackTricks. Existing blockchain pages are general (privacy, gas, DApps) and do not discuss Uniswap v4 hooks, rounding/precision bugs, or AMM exploitation techniques.
  • The provided blog is technical and relevant: it explains a rounding/precision flaw in a Uniswap v4 hook (Bunni V2 LDF), exact-input threshold-crossing swaps that accumulate positive credits, and flash-loan amplification.
  • I explored the repository and reviewed relevant files:
    • src/blockchain/blockchain-and-crypto-currencies/README.md
    • src/crypto-and-stego/blockchain-and-crypto-currencies.md
    • src/pentesting-web/dapps-DecentralizedApplications.md
    • Plus cross-checked the repo layout via list_directory and searched for Uniswap/DeFi content (none existed)
  • I fetched the blog and related Uniswap v4 research pages to include accurate background and references.

What I added:

  1. New page: src/blockchain/defi-amm-exploitation/README.md
  • Title: “DeFi/AMM Exploitation: Uniswap v4 Hook Precision/Rounding Abuse”
  • Content:
    • Background on Uniswap v4 hooks and swap flow (hooks, Q64.96, ticks)
    • Vulnerability archetype: threshold-crossing rounding/precision drift in custom per-swap rebalancers (like LDF)
    • Practical attack methodology:
      • Identify pools with hooks, inspect callback math
      • Model thresholds and rounding behavior
      • Calibrate exact-input swaps to cross boundaries
      • Foundry-style pseudocode for boundary-crossing exactInput loop and withdrawing credits
      • Flash-loan amplification with Aave v3 skeleton
      • Exit and cross-chain replication
    • Common root causes in hook math (mixed rounding, tick alignment, BalanceDelta sign/overflow, Q64.96 precision loss, residue accumulation)
    • Defensive guidance: differential testing, invariants/property tests, centralized rounding policy, settlement sinks, guardrails, consistency across before/after callbacks
    • Case study summary of Bunni V2 (chains, flash loans, ~$8.3M drained)
    • Hunting checklist for auditors and researchers
    • References: Medium summary, full analysis, and Uniswap v4 mechanics/security pages
    • HackTricks training banners included at top and bottom.
  1. Linked the new page from related sections for discoverability:
  • src/blockchain/blockchain-and-crypto-currencies/README.md
    • Added “DeFi/AMM Exploitation” section with an internal reference to ../defi-amm-exploitation/README.md before the training banner.
  • src/pentesting-web/dapps-DecentralizedApplications.md
    • Added “Related: DeFi/AMM Exploitation” with an internal reference to ../blockchain/defi-amm-exploitation/README.md before the training banner.
  • src/crypto-and-stego/blockchain-and-crypto-currencies.md
    • Added “DeFi/AMM Exploitation” section with an internal reference to ../blockchain/defi-amm-exploitation/README.md before the training banner.

Why this is the right place:

  • Blockchain section is the natural home for DeFi/AMM techniques. Since no existing DeFi exploitation page existed, creating a focused page under src/blockchain/defi-amm-exploitation is appropriate and scalable for future AMM/DEX techniques. Related general pages now link to it, making it easy to find from both blockchain and DApps contexts.

Repository changes performed:

  • Created:
    • src/blockchain/defi-amm-exploitation/README.md
  • Modified:
    • src/blockchain/blockchain-and-crypto-currencies/README.md (added internal ref)
    • src/pentesting-web/dapps-DecentralizedApplications.md (added internal ref)
    • src/crypto-and-stego/blockchain-and-crypto-currencies.md (added internal ref)

References included in the new page:

  • Bunni V2 Exploit: $8.3M Drained via Liquidity Flaw (Medium summary)
  • Bunni V2 Exploit: Full Hack Analysis
  • Uniswap v4 background / Liquidity mechanics / Swap mechanics
  • Uniswap v4 Hooks and Security Considerations

No redundant content added:

  • Existing pages lacked this specific exploitation technique; the new page is focused and technical, contains code/pseudocode, precise steps, and mitigation/testing guidance.

If you want me to add more case studies or include concrete calldata/tx flows for the known transactions, I can extend the page further.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://quillaudits.medium.com/bunni-v2-exploit-8-3m-drained-50acbdcd9e7b

Content Categories: Based on the analysis, this content was categorized under "Blockchain & Crypto -> DeFi/AMM Exploitation (e.g., Uniswap v4 Hooks Rounding/Precision Abuse, Flash-Loan Amplified Threshold-Crossing Swaps)".

Repository Maintenance:

  • MD Files Formatting: 875 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@github-actions github-actions bot force-pushed the master branch 15 times, most recently from 4b54ccf to 74cc86a Compare September 8, 2025 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop