WEB3-CETUS-2025

On November 23, 2023 KyberSwap Elastic was exploited across six chains for over $48M (>$20M Arbitrum, $15M Optimism, $7.5M Ethereum, $3M Polygon, $2M Base, ~$23K Avalanche). The root cause was a rounding-direction bug in the concentrated-liquidity math: estimateIncrementalLiquidity should have rounded delta liquidity up so the final price rounded down, but it used mulDivFloor and rounded delta liquidity down, pushing the computed sqrt price slightly past a tick boundary without legitimately crossing it. Using Aave flash loans, the attacker first swapped to park the price in a liquidity-empty region, calibrated a tight position, then performed extremely precise swaps so the price landed exactly on a tick's sqrt price. This forced _updateLiquidityAndCrossTick to register a crossing in computeSwapStep twice, double-counting the tick's liquidity on the reverse swap and paying out far more output than backed, draining the pools. The attacker later opened negotiations; most funds were not promptly recovered.

On September 2, 2025 Bunni, a liquidity manager built on Uniswap v4, was drained of roughly $8.4 million across Ethereum and Unichain (USDC, USDT, and weETH/ETH) through a rounding error in its withdrawal accounting amplified by flash loans. Bunni's Liquidity Distribution Function (LDF) tracks an 'idle balance' that is rebalanced on every swap, and the withdraw path rounded that balance in the wrong direction under specific conditions. The attacker flash-borrowed millions in USDT and executed a precisely sized sequence of swaps that pushed the pool's spot price back and forth across tick boundaries, triggering the faulty rounding repeatedly; each cycle let them withdraw more tokens than they burned in liquidity (in the USDC/USDT pool the idle balance fell 85.7% while liquidity fell only 84.4%, and that gap was the leak). The bug was application-specific accounting math, not an oracle or price-feed flaw. Unable to fund a secure relaunch, the Bunni team announced on October 23, 2025 that it was permanently shutting down, leaving withdrawals open and relicensing v2 from BUSL to MIT.

In late March 2025 Abracadabra.Money lost about $13 million (roughly 6,260 ETH) on Arbitrum when an attacker abused the GMX V2 gmCauldrons that accept GMX GM liquidity tokens as collateral. GMX deposits are asynchronous, so the attacker submitted deposit orders with unsatisfiable minOut values that GMX rejected, returning the input USDC to the cauldron's order/router contract while the cauldron's accounting still counted that pending position as live collateral. Functions such as sendValueInCollateral removed real tokens during liquidation without clearing inputAmount/minOut state, so orderValueInCollateral kept reporting phantom collateral. Inside a single cook() batch the attacker borrowed MIM against this ghost collateral, self-liquidated to pull out the real returned tokens, and reborrowed, while the end-of-cook solvency check still read the stale inflated collateral value and passed. The accounting bypass let the attacker borrow against effectively non-existent collateral and extract MIM.

On June 2, 2024, the DEX Velocore was drained of about $6.8 million from its constant-product (volatile) pools on Linea and zkSync Era. The root cause combined a missing access-control modifier with an unchecked arithmetic underflow in the ConstantProductPool fee math: velocore__execute performed Vault-only state changes but had no onlyVault check, so anyone could call it directly. The pool's feeMultiplier, which increases per withdrawal and resets each block to deter free swaps, fed an effective fee computed as fee1e9 * feeMultiplier / 1e9 with no upper bound and inside an unchecked block. By repeatedly invoking velocore__execute to inflate feeMultiplier, the attacker drove effectiveFee1e9 above 100% (> 1e9), so the growth term 1e18 - ((1e18 - k) * effectiveFee1e9) / 1e9 underflowed and wrapped to a huge unsigned value, causing a small single-token withdrawal to be accounted as a massive deposit and mint excessive LP tokens. Linea controversially paused its sequencer for about an hour to stop the remaining funds from bridging out.

On May 14, 2024 Sonne Finance, a Compound v2 lending fork on Optimism, lost about $20 million when an attacker exploited a freshly created, low-liquidity VELO (Velodrome) market. Because market creation and the protective collateral-factor setup were split across timelocked permissionless transactions two days apart, the attacker acted inside the window before the market was safely seeded. The attacker minted the minimum amount of soVELO cTokens (1 wei) and then donated a large quantity of VELO directly to the soVELO contract, inflating totalCash while totalSupply stayed near zero. Since exchangeRate equals (totalCash + totalBorrows - totalReserves) / totalSupply, this empty-market rounding manipulation drove the cToken exchange rate up so the tiny share position was valued as enormous collateral. The attacker then borrowed roughly 265 WETH plus available USDC.e against the over-valued collateral, draining about $20M within about 25 minutes.

On November 1, 2023 Onyx Protocol, a Compound v2 lending fork on Ethereum, lost about $2.1 million, and the same unfixed bug class was exploited again in September 2024 for about $3.8 million. A newly added, unfunded oPEPE market was left with zero supply because the protocol skipped the standard practice of minting and burning initial cTokens. The attacker used an Aave/Balancer flash loan to mint a tiny amount of oPEPE in the empty market, then donated PEPE directly into the contract to inflate the cToken exchange rate, exploiting the rounding in exchangeRate at low totalSupply. With the artificially over-valued oPEPE counted as collateral, the attacker borrowed other assets and, on redemption, the truncation let them withdraw more value than they supplied, draining the protocol. The September 2024 repeat applied the same empty-market exchange-rate manipulation to a fresh VUSD/oETH market plus an NFTLiquidation input-validation flaw.