WEB3-BUNNI-2025

On May 14, 2024 Sonne Finance, a Compound v2 lending fork on Optimism, lost about $20 million when an attacker exploited a freshly created, low-liquidity VELO (Velodrome) market. Because market creation and the protective collateral-factor setup were split across timelocked permissionless transactions two days apart, the attacker acted inside the window before the market was safely seeded. The attacker minted the minimum amount of soVELO cTokens (1 wei) and then donated a large quantity of VELO directly to the soVELO contract, inflating totalCash while totalSupply stayed near zero. Since exchangeRate equals (totalCash + totalBorrows - totalReserves) / totalSupply, this empty-market rounding manipulation drove the cToken exchange rate up so the tiny share position was valued as enormous collateral. The attacker then borrowed roughly 265 WETH plus available USDC.e against the over-valued collateral, draining about $20M within about 25 minutes.

On November 1, 2023 Onyx Protocol, a Compound v2 lending fork on Ethereum, lost about $2.1 million, and the same unfixed bug class was exploited again in September 2024 for about $3.8 million. A newly added, unfunded oPEPE market was left with zero supply because the protocol skipped the standard practice of minting and burning initial cTokens. The attacker used an Aave/Balancer flash loan to mint a tiny amount of oPEPE in the empty market, then donated PEPE directly into the contract to inflate the cToken exchange rate, exploiting the rounding in exchangeRate at low totalSupply. With the artificially over-valued oPEPE counted as collateral, the attacker borrowed other assets and, on redemption, the truncation let them withdraw more value than they supplied, draining the protocol. The September 2024 repeat applied the same empty-market exchange-rate manipulation to a fresh VUSD/oETH market plus an NFTLiquidation input-validation flaw.

Disclosed publicly by OpenZeppelin on August 15, 2023 and leading the ERC-4626 audit checklists from Trail of Bits and Spearbit, this is the canonical tokenized-vault accounting bug, with real losses such as roughly $200K on early unprotected vaults. The attacker becomes the first depositor into an empty vault and mints 1 share for 1 wei of the underlying. The attacker then transfers (donates) a large amount of the underlying directly to the vault contract, bypassing the mint logic, so totalAssets rises while totalSupply stays at 1. A subsequent depositor's share count, computed as assets * totalSupply / totalAssets, rounds down to zero because their deposit is smaller than the inflated price-per-share. The attacker, still holding the only share, then redeems the entire balance including the victim's captured deposit. The root cause is integer division truncation in share pricing at low totalSupply combined with assets being increased by raw transfers.

On May 22, 2025 Cetus Protocol, the leading DEX on Sui, was drained of approximately $223M. The root cause was a flawed overflow check: the checked_shlw function in the integer-mate math library built its guard mask as 0xFFFFFFFFFFFFFFFF << 192 instead of 0x1 << 192, so values above 2^192 slipped past the check and the subsequent 64-bit left shift silently overflowed (left shifts do not abort in Move). The flaw lived in get_delta_a, which computes the tokens needed for a liquidity position; under the overflow the numerator wrapped to a tiny value, so the function demanded as little as 1 token unit for an enormous liquidity amount. Using flash swaps (borrowing ~10M haSUI), the attacker opened a tight-range position (ticks [300000, 300200]) and minted a massive amount of liquidity for a negligible deposit, then withdrew real pool reserves. Around $162M was frozen on-chain by Sui validators and eventually returned, while roughly $62M was bridged out to Ethereum. Cetus relaunched after recovering and replenishing affected pool liquidity.

In late March 2025 Abracadabra.Money lost about $13 million (roughly 6,260 ETH) on Arbitrum when an attacker abused the GMX V2 gmCauldrons that accept GMX GM liquidity tokens as collateral. GMX deposits are asynchronous, so the attacker submitted deposit orders with unsatisfiable minOut values that GMX rejected, returning the input USDC to the cauldron's order/router contract while the cauldron's accounting still counted that pending position as live collateral. Functions such as sendValueInCollateral removed real tokens during liquidation without clearing inputAmount/minOut state, so orderValueInCollateral kept reporting phantom collateral. Inside a single cook() batch the attacker borrowed MIM against this ghost collateral, self-liquidated to pull out the real returned tokens, and reborrowed, while the end-of-cook solvency check still read the stale inflated collateral value and passed. The accounting bypass let the attacker borrow against effectively non-existent collateral and extract MIM.

On February 12, 2025 zkLend, a money-market protocol on Starknet, lost about $9.5 million (roughly 61 wstETH) through an integer-division rounding exploit in its lending accumulator on an empty market. The attacker deposited 1 wei into an empty wstETH market where reserve balance and zToken supply were zero, then used repeated flash-loan borrow-and-repay cycles to inflate the lending_accumulator, computed as (reserve_balance + total_debt - amount_to_treasury) * 1e27 / ztoken_supply, to an extreme value around 4.069e45. Because zToken amounts are derived via amount * 1e27 / lending_accumulator using direct division that rounds down, the attacker could deposit a few wstETH yet mint only 1 zToken, and on withdrawal burn 1 zToken while pulling out more wstETH than deposited. Repeating this rounding asymmetry grew the raw balance and let the attacker drain wstETH and other assets across the protocol.