Bunni points out that smart contract rounding error is the cause of $8.4 million flash loan vulnerability

PANews reported on September 5 that according to The Block, decentralized exchange Bunni released a review report on a vulnerability attack on Tuesday, which caused it to lose $8.4 million. The report pointed out that the attack affected two trading pools - weETH/ETH trading pairs on Unichain, and USDC/USDT trading pairs on the Ethereum main network. The vulnerability originated from a problem with the rounding direction used when updating idle balances in smart contracts, which occurred in the user withdrawal process. The attacker took advantage of this error to launch a lightning loan attack, manipulating the price and liquidity of the trading pool. First, the attacker borrowed 3 million USDT through Lightning Loan and conducted multiple token exchanges to manipulate the price, reducing available USDC to only 28 wei. Subsequently, the attacker used the rounding error of 44 small withdrawals to further exhaust the USDC balance, resulting in a significant decline in the total liquidity of the transaction pool. Finally, the attacker performed a large token exchange to raise the price scale and then reversed the exchange at the manipulated price. Bunni says that all rounding operations are safe separately, but combined operations create vulnerabilities. The rounding code has been updated and cross-chain withdrawals have been restored, but the functions of deposit, exchange, etc. are still suspended. The platform is working with law enforcement to track funds transferred to Tornado Cash and provides attackers with 10% of the funds as a return bounty. The testing framework will be improved in the future to ensure full and safe recovery.