WEB3-ONYX-2023

On September 2, 2025 Bunni, a liquidity manager built on Uniswap v4, was drained of roughly $8.4 million across Ethereum and Unichain (USDC, USDT, and weETH/ETH) through a rounding error in its withdrawal accounting amplified by flash loans. Bunni's Liquidity Distribution Function (LDF) tracks an 'idle balance' that is rebalanced on every swap, and the withdraw path rounded that balance in the wrong direction under specific conditions. The attacker flash-borrowed millions in USDT and executed a precisely sized sequence of swaps that pushed the pool's spot price back and forth across tick boundaries, triggering the faulty rounding repeatedly; each cycle let them withdraw more tokens than they burned in liquidity (in the USDC/USDT pool the idle balance fell 85.7% while liquidity fell only 84.4%, and that gap was the leak). The bug was application-specific accounting math, not an oracle or price-feed flaw. Unable to fund a secure relaunch, the Bunni team announced on October 23, 2025 that it was permanently shutting down, leaving withdrawals open and relicensing v2 from BUSL to MIT.

On May 14, 2024 Sonne Finance, a Compound v2 lending fork on Optimism, lost about $20 million when an attacker exploited a freshly created, low-liquidity VELO (Velodrome) market. Because market creation and the protective collateral-factor setup were split across timelocked permissionless transactions two days apart, the attacker acted inside the window before the market was safely seeded. The attacker minted the minimum amount of soVELO cTokens (1 wei) and then donated a large quantity of VELO directly to the soVELO contract, inflating totalCash while totalSupply stayed near zero. Since exchangeRate equals (totalCash + totalBorrows - totalReserves) / totalSupply, this empty-market rounding manipulation drove the cToken exchange rate up so the tiny share position was valued as enormous collateral. The attacker then borrowed roughly 265 WETH plus available USDC.e against the over-valued collateral, draining about $20M within about 25 minutes.

Disclosed publicly by OpenZeppelin on August 15, 2023 and leading the ERC-4626 audit checklists from Trail of Bits and Spearbit, this is the canonical tokenized-vault accounting bug, with real losses such as roughly $200K on early unprotected vaults. The attacker becomes the first depositor into an empty vault and mints 1 share for 1 wei of the underlying. The attacker then transfers (donates) a large amount of the underlying directly to the vault contract, bypassing the mint logic, so totalAssets rises while totalSupply stays at 1. A subsequent depositor's share count, computed as assets * totalSupply / totalAssets, rounds down to zero because their deposit is smaller than the inflated price-per-share. The attacker, still holding the only share, then redeems the entire balance including the victim's captured deposit. The root cause is integer division truncation in share pricing at low totalSupply combined with assets being increased by raw transfers.

On May 22, 2025 Cetus Protocol, the leading DEX on Sui, was drained of approximately $223M. The root cause was a flawed overflow check: the checked_shlw function in the integer-mate math library built its guard mask as 0xFFFFFFFFFFFFFFFF << 192 instead of 0x1 << 192, so values above 2^192 slipped past the check and the subsequent 64-bit left shift silently overflowed (left shifts do not abort in Move). The flaw lived in get_delta_a, which computes the tokens needed for a liquidity position; under the overflow the numerator wrapped to a tiny value, so the function demanded as little as 1 token unit for an enormous liquidity amount. Using flash swaps (borrowing ~10M haSUI), the attacker opened a tight-range position (ticks [300000, 300200]) and minted a massive amount of liquidity for a negligible deposit, then withdrew real pool reserves. Around $162M was frozen on-chain by Sui validators and eventually returned, while roughly $62M was bridged out to Ethereum. Cetus relaunched after recovering and replenishing affected pool liquidity.

In late March 2025 Abracadabra.Money lost about $13 million (roughly 6,260 ETH) on Arbitrum when an attacker abused the GMX V2 gmCauldrons that accept GMX GM liquidity tokens as collateral. GMX deposits are asynchronous, so the attacker submitted deposit orders with unsatisfiable minOut values that GMX rejected, returning the input USDC to the cauldron's order/router contract while the cauldron's accounting still counted that pending position as live collateral. Functions such as sendValueInCollateral removed real tokens during liquidation without clearing inputAmount/minOut state, so orderValueInCollateral kept reporting phantom collateral. Inside a single cook() batch the attacker borrowed MIM against this ghost collateral, self-liquidated to pull out the real returned tokens, and reborrowed, while the end-of-cook solvency check still read the stale inflated collateral value and passed. The accounting bypass let the attacker borrow against effectively non-existent collateral and extract MIM.

On February 12, 2025 zkLend, a money-market protocol on Starknet, lost about $9.5 million (roughly 61 wstETH) through an integer-division rounding exploit in its lending accumulator on an empty market. The attacker deposited 1 wei into an empty wstETH market where reserve balance and zToken supply were zero, then used repeated flash-loan borrow-and-repay cycles to inflate the lending_accumulator, computed as (reserve_balance + total_debt - amount_to_treasury) * 1e27 / ztoken_supply, to an extreme value around 4.069e45. Because zToken amounts are derived via amount * 1e27 / lending_accumulator using direct division that rounds down, the attacker could deposit a few wstETH yet mint only 1 zToken, and on withdrawal burn 1 zToken while pulling out more wstETH than deposited. Repeating this rounding asymmetry grew the raw balance and let the attacker drain wstETH and other assets across the protocol.