🚨 DeFi Alert: Bunni Exploited for $2.4M After Liquidity Manipulation

encrypted

Decentralized exchange Bunni has fallen victim to a smart contract exploit, losing roughly $2.4 million in stablecoins after attackers manipulated its custom liquidity logic.

The exploit targeted Bunni’s Ethereum-based contracts, draining funds into an address now holding $1.33M USDC and $1.04M USDT.

️ Bunni Confirms Breach

The Bunni team acknowledged the incident on X:

“The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating.”

Core contributor @Psaul26ix urged users:
“If you have money on Bunni, remove it ASAP.”

️ How the Hack Worked

Bunni, built on Uniswap v4, uses a custom Liquidity Distribution Function (LDF) instead of Uniswap’s standard system.

According to Victor Tran (KyberNetwork), the attacker exploited flaws in the LDF by executing trades of very specific sizes, tricking the system into miscalculating liquidity provider shares.

This allowed them to gradually drain funds without triggering immediate alarms.

Bounty on the Table

In an onchain message, Bunni’s team has offered the attacker a 10% white-hat bounty if the stolen funds are returned.

Wider Context: Hacks Rising

August saw $163M stolen across 16 crypto hacks, up 15% from July.

Hackers are shifting strategies, with larger exploits on centralized exchanges and high-value individuals.

The biggest loss came from a $91M social engineering scam targeting a single Bitcoiner.

Takeaway: This exploit highlights the risks of custom DeFi mechanisms. Even well-intentioned optimizations like Bunni’s LDF can open dangerous attack surfaces.

If you used Bunni, withdraw funds immediately and stay alert for updates.