TL;DR
- Exploit Scale: Bunni lost $8.4M after a precision bug let an attacker drain liquidity pools on Ethereum and Unichain.
- Attack Method: The Hacker manipulated liquidity distribution calculations with specific trade sizes to withdraw excess LP tokens.
- Security Concerns: Despite prior audits, the breach raises questions about ongoing code review and DeFi platform resilience.
Decentralized exchange protocol Bunni, built on top of Uniswap, has suffered a major security breach resulting in $8.4 million in losses. The exploit, identified by multiple blockchain security firms, targeted a precision bug in the platform’s liquidity distribution function, allowing the attacker to drain funds from liquidity pools across Ethereum and Unichain.
🚨 The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.
— Bunni (@bunni_xyz) September 2, 2025
Rapid Detection and Contract Suspension
The incident came to light when audit firm BlockSec flagged suspicious transactions involving approximately $2.3 million on Ethereum. Within two hours, Bunni confirmed the breach and paused all smart contract functions across every supported network as a precaution. Further investigations by Hacken revealed an extra $6 million loss on Unichain, which is Uniswap’s own network, raising the total stolen amount to $8.4 million. The compromised funds remain in two known wallet addresses linked to the attacker.
Technical Flaw in Liquidity Distribution
According to KyberSwap CEO Victor Tran, the vulnerability stemmed from a flaw in Bunni’s liquidity distribution function curve. The attacker executed trades of highly specific sizes to manipulate the rebalancing calculation, producing incorrect results for liquidity provider share allocations. By repeating this process, the exploiter was able to withdraw excess LP tokens and systematically empty Bunni’s liquidity reserves.
Audit History and Unanswered Questions
Bunni’s codebase had previously undergone reviews by respected security firms, including Trail of Bits and Cyfrin, with several reports noting critical findings. It remains unclear whether the exploited bug was identified in those audits or introduced later. The attacker’s transactions left over 1,000 event logs, some containing comments like “Depositing to Euler” and “Unlock Callback,” offering investigators detailed breadcrumbs into the exploit’s execution.
Broader DeFi Security Context
In the wake of the breach, Euler co-founder Michael Bentley clarified that while Bunni rebalances funds in and out of Euler, the $1.5 billion lending protocol was unaffected. In March 2023, Euler was hacked for $200 million, highlighting the ongoing risks in DeFi. The Bunni exploit adds to a growing list of incidents highlighting the need for rigorous, ongoing security measures in decentralized finance platforms.
