Bunni DEX Loses $8.4 Million in Sophisticated Smart Contract Attack

The attack targeted Bunni’s innovative Liquidity Distribution Function (LDF), a specialized mechanism the platform uses instead of standard Uniswap protocols. Within hours of detecting the breach, Bunni’s team suspended all smart contract operations across multiple blockchain networks as a safety measure.

How the Attack Unfolded

The exploit centered on Bunni’s custom LDF system, which manages how liquidity gets distributed across different price ranges. This system was designed to boost returns for liquidity providers, but hackers found a way to manipulate it.

Victor Tran, co-founder of KyberNetwork, explained the attack method on social media. The hacker executed trades using very specific amounts that confused Bunni’s rebalancing calculations. These carefully chosen trade sizes caused the system to miscalculate how much each liquidity provider should own from the pool.

By repeating this process multiple times, the attacker gradually withdrew more tokens than they were entitled to. The stolen funds totaled approximately $2.4 million from Ethereum and $6 million from Unichain, Uniswap’s layer-2 network. The hacker then moved all funds to Ethereum using the Across Protocol bridging system.

Source: @bunni_xyz

Security firm Hacken tracked the stolen assets to specific wallet addresses. The funds included $1.33 million in USDC and $1.04 million in USDT stablecoins, according to blockchain data.

Bunni’s Response and Recovery Efforts

Following the attack, Bunni took immediate action to protect remaining user funds. The team paused all smart contract functions across supported networks, including Ethereum, Base, Arbitrum, and BNB Smart Chain.

Source: @bunni_xyz

Core contributor @Psaul26ix urged users to withdraw their funds immediately. “If you have money on Bunni, remove it ASAP,” they posted on social media.

In an unusual move, Bunni offered the hacker a 10% bounty in exchange for returning the stolen funds. The team sent an on-chain message through the Ethereum network, including contact details for potential negotiations.

Partner protocols moved quickly to reassure users about their safety. Michael Bentley, CEO of Euler Finance, confirmed that his lending protocol remained unaffected despite channeling liquidity through Bunni. Other DeFi platforms monitoring the situation also reported no impact on their operations.

The Rise and Fall of a DeFi Leader

Before the hack, Bunni had established itself as the dominant force in the emerging Uniswap v4 ecosystem. The platform controlled three of the top four positions on HookRank, a ranking system for Uniswap v4 hooks, and processed nearly 59% of all tracked trading volume across these new protocols.

Bunni’s success came from its innovative approach to liquidity provision. The platform’s re-hypothecation hook allowed deposited tokens to earn money in two ways: from trading fees and from lending to other protocols simultaneously. This dual income stream attracted significant liquidity from investors seeking higher returns.

The platform’s flagship ETH-USDC 1.1 pool on Base blockchain generated over $80 million in trading volume during a 30-day period, despite having relatively low total value locked. This efficiency created an annual percentage yield of 2,690% for liquidity providers in that specific pool.

Bunni also introduced Liquidity Density Functions that kept gas costs constant regardless of price movements, solving a major problem with earlier Uniswap versions. The platform automated position management and protected against certain types of MEV attacks that drain value from ordinary users.

Security Challenges in DeFi Innovation

The Bunni incident highlights ongoing security challenges in decentralized finance. The platform had previously undergone security reviews by respected firms including Trail of Bits and Cyfrin. However, it remains unclear whether the exploited vulnerability was identified in those audits or introduced through later code changes.

This attack fits into a troubling pattern of DeFi exploits. August 2025 saw over $163 million stolen across 16 separate incidents, representing a 15% increase from the previous month. The DeFi sector has lost more than $300 million to hacks and scams over the past two months alone.

Security experts note that attackers are becoming more sophisticated, often targeting newer protocols with complex mechanisms. The custom nature of Bunni’s LDF system, while innovative, created an attack surface that standard protocols might not have.

The Uniswap v4 ecosystem, where Bunni operates, remains largely experimental. Only about 32% of v4 liquidity pools use hooks like Bunni’s, and just 8% of swaps flow through these enhanced protocols. This early-stage environment combines high innovation potential with elevated security risks.

Looking Forward

The Bunni exploit serves as a reminder that innovation in decentralized finance comes with significant risks. While the platform pioneered new approaches to liquidity management that generated impressive returns, these same innovations created vulnerabilities that hackers could exploit.

The incident may slow adoption of Uniswap v4 hooks in the short term as developers review security practices. However, the underlying technology continues to show promise, with the Uniswap Foundation committing over $144 million in incentives to support hook development.

For users, the attack reinforces the importance of understanding the risks involved in using cutting-edge DeFi protocols. While higher returns are possible, they often come with increased exposure to smart contract vulnerabilities and other technical risks that traditional finance doesn’t face.