WEB3-COMPOUND-2021

On September 2, 2025 Bunni, a liquidity manager built on Uniswap v4, was drained of roughly $8.4 million across Ethereum and Unichain (USDC, USDT, and weETH/ETH) through a rounding error in its withdrawal accounting amplified by flash loans. Bunni's Liquidity Distribution Function (LDF) tracks an 'idle balance' that is rebalanced on every swap, and the withdraw path rounded that balance in the wrong direction under specific conditions. The attacker flash-borrowed millions in USDT and executed a precisely sized sequence of swaps that pushed the pool's spot price back and forth across tick boundaries, triggering the faulty rounding repeatedly; each cycle let them withdraw more tokens than they burned in liquidity (in the USDC/USDT pool the idle balance fell 85.7% while liquidity fell only 84.4%, and that gap was the leak). The bug was application-specific accounting math, not an oracle or price-feed flaw. Unable to fund a secure relaunch, the Bunni team announced on October 23, 2025 that it was permanently shutting down, leaving withdrawals open and relicensing v2 from BUSL to MIT.

On May 22, 2025 Cetus Protocol, the leading DEX on Sui, was drained of approximately $223M. The root cause was a flawed overflow check: the checked_shlw function in the integer-mate math library built its guard mask as 0xFFFFFFFFFFFFFFFF << 192 instead of 0x1 << 192, so values above 2^192 slipped past the check and the subsequent 64-bit left shift silently overflowed (left shifts do not abort in Move). The flaw lived in get_delta_a, which computes the tokens needed for a liquidity position; under the overflow the numerator wrapped to a tiny value, so the function demanded as little as 1 token unit for an enormous liquidity amount. Using flash swaps (borrowing ~10M haSUI), the attacker opened a tight-range position (ticks [300000, 300200]) and minted a massive amount of liquidity for a negligible deposit, then withdrew real pool reserves. Around $162M was frozen on-chain by Sui validators and eventually returned, while roughly $62M was bridged out to Ethereum. Cetus relaunched after recovering and replenishing affected pool liquidity.

In late March 2025 Abracadabra.Money lost about $13 million (roughly 6,260 ETH) on Arbitrum when an attacker abused the GMX V2 gmCauldrons that accept GMX GM liquidity tokens as collateral. GMX deposits are asynchronous, so the attacker submitted deposit orders with unsatisfiable minOut values that GMX rejected, returning the input USDC to the cauldron's order/router contract while the cauldron's accounting still counted that pending position as live collateral. Functions such as sendValueInCollateral removed real tokens during liquidation without clearing inputAmount/minOut state, so orderValueInCollateral kept reporting phantom collateral. Inside a single cook() batch the attacker borrowed MIM against this ghost collateral, self-liquidated to pull out the real returned tokens, and reborrowed, while the end-of-cook solvency check still read the stale inflated collateral value and passed. The accounting bypass let the attacker borrow against effectively non-existent collateral and extract MIM.

On May 14, 2024 Sonne Finance, a Compound v2 lending fork on Optimism, lost about $20 million when an attacker exploited a freshly created, low-liquidity VELO (Velodrome) market. Because market creation and the protective collateral-factor setup were split across timelocked permissionless transactions two days apart, the attacker acted inside the window before the market was safely seeded. The attacker minted the minimum amount of soVELO cTokens (1 wei) and then donated a large quantity of VELO directly to the soVELO contract, inflating totalCash while totalSupply stayed near zero. Since exchangeRate equals (totalCash + totalBorrows - totalReserves) / totalSupply, this empty-market rounding manipulation drove the cToken exchange rate up so the tiny share position was valued as enormous collateral. The attacker then borrowed roughly 265 WETH plus available USDC.e against the over-valued collateral, draining about $20M within about 25 minutes.

On November 23, 2023 KyberSwap Elastic was exploited across six chains for over $48M (>$20M Arbitrum, $15M Optimism, $7.5M Ethereum, $3M Polygon, $2M Base, ~$23K Avalanche). The root cause was a rounding-direction bug in the concentrated-liquidity math: estimateIncrementalLiquidity should have rounded delta liquidity up so the final price rounded down, but it used mulDivFloor and rounded delta liquidity down, pushing the computed sqrt price slightly past a tick boundary without legitimately crossing it. Using Aave flash loans, the attacker first swapped to park the price in a liquidity-empty region, calibrated a tight position, then performed extremely precise swaps so the price landed exactly on a tick's sqrt price. This forced _updateLiquidityAndCrossTick to register a crossing in computeSwapStep twice, double-counting the tick's liquidity on the reverse swap and paying out far more output than backed, draining the pools. The attacker later opened negotiations; most funds were not promptly recovered.

On November 1, 2023 Onyx Protocol, a Compound v2 lending fork on Ethereum, lost about $2.1 million, and the same unfixed bug class was exploited again in September 2024 for about $3.8 million. A newly added, unfunded oPEPE market was left with zero supply because the protocol skipped the standard practice of minting and burning initial cTokens. The attacker used an Aave/Balancer flash loan to mint a tiny amount of oPEPE in the empty market, then donated PEPE directly into the contract to inflate the cToken exchange rate, exploiting the rounding in exchangeRate at low totalSupply. With the artificially over-valued oPEPE counted as collateral, the attacker borrowed other assets and, on redemption, the truncation let them withdraw more value than they supplied, draining the protocol. The September 2024 repeat applied the same empty-market exchange-rate manipulation to a fresh VUSD/oETH market plus an NFTLiquidation input-validation flaw.