TL;DR:
- Bunni shuts down after losing $8.4M in a flash loan exploit.
- The protocol opens its remaining $2M treasury to affected users.
- The hack highlights ongoing DeFi security risks and lack of safeguards.
The decentralized finance (DeFi) platform Bunni has announced it will permanently shut down after suffering an $8.4 million flash loan exploit, marking one of the latest blows to the DeFi ecosystem still grappling with persistent security flaws.
The protocol, built on Ethereum and known for its liquidity management tools, confirmed that the exploit drained most of its on-chain assets, leaving the team unable to recover operations. According to its statement, Bunni will now focus on compensating affected users by opening its remaining treasury and liquidity pools for withdrawal.
Exploit Drains Liquidity, Forces Bunni to Cease Operations
Blockchain security firm PeckShield identified the attack as a flash loan exploit, where the hacker manipulated Bunni’s liquidity positions to extract millions in seconds. The incident exploited a vulnerability in how Bunni calculated token prices and collateral ratios, allowing the attacker to drain funds from multiple pools without triggering safeguards.
The hacker reportedly used Tornado Cash to launder the stolen assets, making recovery efforts nearly impossible. Bunni’s decision to dissolve the protocol reflects both the scale of the financial loss and the erosion of user trust that followed. In its farewell note, the team said, “We take full responsibility for the exploit and will ensure transparency as we return remaining funds.”
Following the hack, Bunni disabled new deposits and trading activity while urging users to withdraw any remaining assets. The protocol’s treasury, worth roughly $2 million post-hack, will be distributed proportionally among impacted liquidity providers.
This closure echoes a broader pattern within DeFi, where vulnerabilities in complex smart contracts continue to expose investors to losses. Flash loan exploits, despite being known since 2020, remain a major attack vector, with total stolen funds in 2025 already surpassing $600 million across protocols, according to on-chain data analysts.
The end of Bunni underscores the fragility of decentralized systems that lack sufficient audit coverage and risk management. As DeFi expands, the incident serves as another reminder that innovation without robust security can quickly unravel even the most promising projects.
