🚨 Exploit Alert DEX @bunni_xyz on #Ethereum was hacked for ~$8.4M 👉 Smart contracts on all chains have been paused as investigations continue.
/
/
Bunni DEX exploited for $2.4M as liquidity flaw forces shutdown
Sep, 02, 2025
3 min read
by Rony Roy
for Invezz
Bunni, a multi-network decentralised exchange, was exploited for $2.4 million earlier today, forcing it to suspend operations as a countermeasure.
According to the project team, the exploit was identified in its Ethereum-based smart contracts, prompting the project to immediately suspend all protocol functions across supported networks.
“We have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience,” Bunni announced via a Sep. 1 X post.
Looking at on-chain data, the wallet used in the exploit showed that attackers siphoned off about $2.4 million in stablecoins, including $1.33 million in USDC and $1.04 million in USDT.
Yet, the picture may be grimmer than it first appears. Some estimates circulating among blockchain sleuths suggest the real losses could stretch well beyond that figure, with totals climbing upwards of $8 million. See below.
The stolen funds were then funnelled into two wallets, which is a familiar hallmark of coordinated DeFi exploits where liquidity is quickly consolidated.
Attackers targeted Bunni’s liquidity logic
As of press time, Bunni has yet to publish an official post-mortem of the incident, but developers and researchers who have begun preliminary reviews believe the attack stemmed from a flaw in Bunni’s Liquidity Distribution Function (LDF).
Unlike other DEXs like Uniswap’s standard model, Bunni uses this mechanism to optimise returns by distributing liquidity across price ranges.
According to Kyber Network co-founder Victor Tran, the attacker manipulated the curve by executing trades of very specific sizes that tricked the rebalancing logic into miscalculating how much each liquidity provider’s share was worth.
In practice, this allowed the exploiter to repeat the process multiple times without triggering alarms, gradually draining the pool.
Since no official post-mortem has been released, the community is waiting for clarity on whether this was an isolated coding oversight or a deeper architectural flaw.
DeFi exploits continue to rattle crypto investors
The incident also follows a string of vulnerabilities targeting emerging DeFi platforms.
Just months earlier, Four.Meme, a memecoin launchpad built on BNB Chain, was targeted in back-to-back exploits in February and March.
The March attack, carried out via a sandwich manipulation strategy, drained roughly $120,000, coming only weeks after a separate $183,000 loss.
Across the market, exploit activity has become almost a regular ordeal.
Over the past two months alone, the crypto industry has lost at least $300 million worth of funds.
July alone saw hackers make off with around $142 million across 17 incidents, with Indian crypto exchange CoinDCX suffering the heaviest blow due to a $44 million breach.
Losses climbed further in August to roughly $163 million spread across 16 separate incidents.
The single largest came when a Bitcoiner fell prey to a social engineering ruse, surrendering 783 BTC worth $91 million.
Turkish exchange Btcturk also reported a roughly $50 million loss, with the funds siphoned from its hot wallets the same month.
The post Bunni DEX exploited for $2.4M as liquidity flaw forces shutdown appeared first on Invezz
Read More
Bunni DEX exploited for $2.4M as liquidity flaw forces shutdown
Sep, 02, 2025
3 min read
by Rony Roy
for Invezz
Bunni, a multi-network decentralised exchange, was exploited for $2.4 million earlier today, forcing it to suspend operations as a countermeasure.
According to the project team, the exploit was identified in its Ethereum-based smart contracts, prompting the project to immediately suspend all protocol functions across supported networks.
“We have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience,” Bunni announced via a Sep. 1 X post.
Looking at on-chain data, the wallet used in the exploit showed that attackers siphoned off about $2.4 million in stablecoins, including $1.33 million in USDC and $1.04 million in USDT.
Yet, the picture may be grimmer than it first appears. Some estimates circulating among blockchain sleuths suggest the real losses could stretch well beyond that figure, with totals climbing upwards of $8 million. See below.
🚨 Exploit Alert DEX @bunni_xyz on #Ethereum was hacked for ~$8.4M 👉 Smart contracts on all chains have been paused as investigations continue.
The stolen funds were then funnelled into two wallets, which is a familiar hallmark of coordinated DeFi exploits where liquidity is quickly consolidated.
Attackers targeted Bunni’s liquidity logic
As of press time, Bunni has yet to publish an official post-mortem of the incident, but developers and researchers who have begun preliminary reviews believe the attack stemmed from a flaw in Bunni’s Liquidity Distribution Function (LDF).
Unlike other DEXs like Uniswap’s standard model, Bunni uses this mechanism to optimise returns by distributing liquidity across price ranges.
According to Kyber Network co-founder Victor Tran, the attacker manipulated the curve by executing trades of very specific sizes that tricked the rebalancing logic into miscalculating how much each liquidity provider’s share was worth.
In practice, this allowed the exploiter to repeat the process multiple times without triggering alarms, gradually draining the pool.
Since no official post-mortem has been released, the community is waiting for clarity on whether this was an isolated coding oversight or a deeper architectural flaw.
DeFi exploits continue to rattle crypto investors
The incident also follows a string of vulnerabilities targeting emerging DeFi platforms.
Just months earlier, Four.Meme, a memecoin launchpad built on BNB Chain, was targeted in back-to-back exploits in February and March.
The March attack, carried out via a sandwich manipulation strategy, drained roughly $120,000, coming only weeks after a separate $183,000 loss.
Across the market, exploit activity has become almost a regular ordeal.
Over the past two months alone, the crypto industry has lost at least $300 million worth of funds.
July alone saw hackers make off with around $142 million across 17 incidents, with Indian crypto exchange CoinDCX suffering the heaviest blow due to a $44 million breach.
Losses climbed further in August to roughly $163 million spread across 16 separate incidents.
The single largest came when a Bitcoiner fell prey to a social engineering ruse, surrendering 783 BTC worth $91 million.
Turkish exchange Btcturk also reported a roughly $50 million loss, with the funds siphoned from its hot wallets the same month.
The post Bunni DEX exploited for $2.4M as liquidity flaw forces shutdown appeared first on Invezz
Read More