Two Exploits in a Span of a Week: How $13.3M Vanished Across BetterBank & Bunni v4

Introduction to BetterBank Protocol

On Aug 27, BetterBank on PulseChain was drained for about $5M. The root mistake was privilege control around minting and supply management. An attacker gained a path to create value without proper checks, inflated supply, then swapped out into liquid assets and exited while balances and limits failed to stop the flow.

On Sep 2, Bunni v2 built on Uniswap v4 lost about $8.3M. The weakness lived in hook logic and accounting. By steering calls through a v4 hook at carefully chosen moments, the attacker broke expected invariants around liquidity updates and deltas, turning bookkeeping gaps into real withdrawals.

This post walks both incidents end to end — what each protocol intended to guarantee, what preconditions the attacker needed, the exact call traces that moved state in their favor, and the minimal fixes that would have closed the doors — stricter role gates and supply caps for BetterBank, and hook-safe accounting, delta checks, and reentrancy boundaries for Bunni v2.

BetterBank Exploit

BetterBank is a revolutionary DeFi protocol that reimagine lending, borrowing, and wealth generation on PulseChain with two native tokens Esteem `$ESTEEM`— is the primary governance and ownership token and Favor starting with `$PDAIF`, `$PLSF`, and `$PLSXF`— designed to power the lending and borrowing ecosystem.

Esteem Token

• Holding and staking Esteem Enables Favor issuance.
• Users can mint Esteem at a perpetually increasing price.
• Purchasing Favor rewards users with an Esteem bonus equal to 44% of the Favor purchase value.
• Depositors in BetterBank’s Stronghold lending pools receive Esteem as a reward for supplying liquidity.

Favor Token

• Favor is minted through staking Esteem. The rate of minting is market-driven, meaning Favor supply growth expands when demand is high and contracts when demand is low.
• Favor’s daily minting rate varies based on its ratio to its paired asset; If a Favor type trades at 3x its paired asset or more, 3% of its total supply is minted.
• Since Esteem is illiquid users may choose to smelt (burn) their Esteem for 70% of its value in (newly minted) Favor tokens of choice.

Hack Analysis

The attacker abused BetterBank’s automated distribution system by purchasing Favor to gain Esteem at 44% of Favor’s purchasing value as rewards in addition to Favor's daily minting rate, he successfully drained 891M DAI. 9.05B PLSX, and 7.40B WPLS.

First, he created 3 malicious contracts:

• First Contract
• EOA: 0x48c9f537f3f1a2c95c46891332E05dA0D268869B
• Tx Hash: 0x9c7237a00fa276c5f10ca1c61d6821869a7fdcd1ade8059729cdc35c9ff7689a
• Contract Address: 0x18Dd9E3F039F319c854c389fC87b5295d3cb7f94

• Second Contract
• EOA: 0x48c9f537f3f1a2c95c46891332E05dA0D268869B
• Tx Hash: 0xc651656d2f94476374ee1de240f6bcf4572a5fe732db92d319573a1727409f82
• Contract Address: 0x767C5a70CDa0D9469ccE3a56653E1d170D9849c3

• Third Contract
• EOA: 0x48c9f537f3f1a2c95c46891332E05dA0D268869B
• Tx Hash: 0x74534b1f86a63c6c722d5845f2b4c08867c2e66b922a6c95cd6b4290664c19bd
• Contract Address: 0x792CDc4adcF6b33880865a200319ecbc496e98f8

Second, with the first contract, attacker borrowed 50M DAI and 7.14B PLP tokens from the flash loan he initiated on BetterBank’s DAI-PDAIF pair.

Third, using the 7.14B PLP initially borrowed, attacker invoked `removeLiquidity` on `PulseXRouter02` that drained real DAI-PDAIF pool from 1B DAI and 500M PDAIF.

Fourth, attacker using a fake token to create a new fake-PDAIF pool on PulseXFactory, minting a quintillion of this fake token while adding minimal liquidity of fake token and draining PDAIF.

Fifth, using this fake token attacker executed several swaps in the same fake attacker created to simulate high trading volume and mint Esteem rewards multiple times.

Sixth, attacker converted all Esteem rewards to almost 3.8B PDAIF which results in inflating PDAIF token supply.

Seventh, attacker used part of PDAIF gains to add liquidity into DAI-PDAIF pool with almost 1.09B DAI and 501M PDAIF, resulting in imbalanced pool with excess PDAIF.

Eighth, attacker exploited the imbalanced created in DAI-PDAIF pool to swap the surplus PDAIF for 891M DAI, to pay the original flash loan of DAI-PLP back to BetterBank and retained around 891M DAI.

attacker managed to repeat the same scheming exploit and successfully retained around 9B PLSX and 7.4B WPLS

How this Exploit Can be Avoided

• Interchangeable Rewards Mechanism: allows Esteem reward holders to convert it to Favor that result in supply inflation.
• Flawed Reward Logic in `SwapExactTokensForFavorAndTrackBonus`: it only verifies the output swap is Favor which triggers Esteem minting as reward, but it doesn't validate whether the swap took place through a legitimate pool.

References and Related Links

• BetterBank Custom Contracts: GitHub
• Tx Hash of Attacker's First Contract Creation: PulseChain Explorer
• Tx Hash of Attacker's Second Contract Creation: PulseChain Explorer
• Tx Hash of of Attacker's Third Contract Creation: PulseChain Explorer
• List of Attacker's Token Transfers: PulseChain Explorer
• ESTEEM Contract: PulseChain Explorer
• PulseXRouter02: PulseChain Explorer
• DAI Contract: PulseChain Explorer
• Wrapper PLS Contract: PulseChain Explorer
• PulseX Contract: PulseChain Explorer
• BetterBank Documentations: Docs