In brief
- Decentralized exchange Bunni announced its permanent shutdown Wednesday, saying it lacks the capital for a secure relaunch requiring six to seven figures in audit expenses alone.
- The September 2 hack drained $8.4 million through flash loan manipulation and rounding errors, with stolen funds remaining unmoved in Tornado Cash-funded wallets.
- Users can still withdraw assets, and Bunni pledged to distribute remaining treasury to token holders while relicensing its v2 contracts from BUSL to MIT.
Decentralized exchange Bunni has announced it is permanently shutting down following an $8.4 million hack last month, with founders saying they lack the capital needed for a secure relaunch that would cost six to seven figures in audit and monitoring expenses alone.
Bunni announced the permanent shutdown on Wednesday, citing insurmountable recovery costs following the attack that exploited the platform’s Liquidity Density Function across two pools, weETH/ETH on Unichain and USDC/USDT on Ethereum.
The attack drained approximately $8.4 million in total from the two pools, according to Bunni’s post-mortem report. The stolen funds were bridged to Ethereum following the exploit.
“It’d also take months of development & BD effort just to get Bunni back to where it was before the exploit, which we cannot afford,” the DEX tweeted. “Thus, we have decided it’s best to shut down Bunni.”
Users can continue withdrawing funds through the website while the team finalizes the legal process for treasury distribution, excluding its own members from the payout, the statement said.
“This hack shows the industry in no uncertain terms that custom liquidity logic needs exhaustive testing, as flash loans introduce low-risk exploits,” Kadan Stadelmann, Chief Technology Officer at Komodo Platform, told Decrypt.
“The exploit consisted of three steps: swap with flashloaned funds, a large number of tiny withdrawals, and then a sandwich attack,” the DEX noted in the post-mortem report.
Flash loans enable borrowing large amounts without collateral within a single transaction, while sandwich attacks profit from artificially manipulating prices around target trades.
The attacker first flashborrowed 3M USDT then made multiple swaps from USDT to USDC, and the spot price tick of the pool was pushed to 5000, corresponding to 1 USDC = 1.68 USDT, the report noted.
“The attacker’s use of flash loans is notable from an AML lens. Flash loans enable actors to access large amounts of liquidity without collateral and repay within a single transaction,” Dmitry Machikhin, CEO of BitOK, told Decrypt.
“Following the hack, it is highly likely the proceeds were layered across multiple chains to distance them from their illicit origin,” he added.
The exchange confirmed it plans to distribute remaining treasury assets to BUNNI, LIT, and veBUNNI holders based on a snapshot, pending legal validation.
“The Bunni v2 smart contracts have been relicensed from BUSL to MIT, enabling everyone to utilize our innovations such as LDFs, surge fees, and autonomous rebalancing,” the team noted, adding they hope their technological contributions will benefit the broader DeFi ecosystem.
Bunni noted it’s working with law enforcement to recover assets and has sent an on-chain message offering the attacker 10% of the stolen funds if the remainder is returned, an offer that went unanswered.
Bunni’s breach adds to 2025’s mounting crypto security crisis, with hackers stealing over $2 billion in digital assets this year, according to blockchain analytics firm Elliptic.
North Korea-linked hackers account for the majority of those losses, marking the largest annual total on record.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Source: https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit
