Exploits
Bunni
On September 2, Bunni was exploited for ~$8.4m by a sophisticated attacker. Two pools were affected: weETH/ETH on Unichain and USDC/USDT on Ethereum.
TL;DR: The attacker constructed an atomic liquidity increase and sandwich attacked it.
The key fault was a rounding direction that was safe in the context of a single operation but led to unsafe behavior as part of multiple operations.
// decrease idle balance proportionally to the amount removed
{
(uint256 balance, bool isToken0) = IdleBalanceLibrary.fromIdleBalance(state.idleBalance);
uint256 newBalance = balance - balance.mulDiv(shares, currentTotalSupply);
if (newBalance != balance) {
s.idleBalance[poolId] = newBalance.toIdleBalance(isToken0);
}
}Cork
Exploit overview:
At 11:39 UTC on May 28, Cork Protocol experienced an exploit resulting in the extraction of 3,761 wstETH from the wstETH:weETH market.
Attacker targeted two sophisticated edge cases:
• Vector 1: Manipulated rollover pricing just before expiry, buying 3,761 Cover Tokens for only 0.000002 wstETH.
• Vector 2: Deployed malicious hook to bypass validation in Cork Hook & FlashSwapRouter, draining 3,761 wstETH from PSM.