While Bunni DEX was celebrating a milestone month with over $1 billion in August trading volume and a robust $60 million total value locked, hackers were apparently studying the platform’s Liquidity Distribution Function with the kind of methodical patience typically reserved for doctoral dissertations—though considerably less altruistic in their intentions.
The Uniswap V4-powered decentralized exchange discovered it had become the victim of an $8.4 million heist spanning both Ethereum and Unichain networks, prompting immediate suspension of all smart contract operations across every supported blockchain. What makes this particular breach significant (beyond the substantial financial damage) is the surgical precision with which attackers exploited a vulnerability in Bunni’s LDF—likely exposed through a recent code update that proved rather more consequential than anticipated.
Rather than employing the typical smash-and-grab approach favored by less sophisticated actors, these hackers demonstrated remarkable finesse, executing repeated transactions of precisely calibrated sizes that effectively flew under the radar of automated monitoring systems. The attack vector focused primarily on Ethereum-based smart contracts, where attackers manipulated liquidity pools to gradually drain funds without triggering security alerts—a demonstration of either exceptional technical acumen or extraordinarily poor detection mechanisms. This incident highlights the persistent risk of smart contract vulnerabilities that have plagued the DeFi ecosystem, costing investors billions annually.
Initial forensic analysis confirmed theft of approximately $2.3 million in stablecoins, primarily USDC ($1.33 million) and USDT ($1.04 million), though broader blockchain investigation suggests total losses approached the full $8.4 million figure. The BUNNI token responded predictably to news of the breach, plummeting over 35% within an hour—because nothing inspires confidence quite like discovering your platform’s fundamental architecture contained exploitable flaws. The timing proved particularly unfortunate as the incident occurred on Tuesday, Sept. 2, disrupting what had been a relatively stable trading period.
The perpetrators displayed equal sophistication in their money laundering operations, routing stolen assets through multiple DeFi protocols before depositing them into Aave lending pools and executing numerous 100 ETH swaps via the Across Protocol bridge. Despite Bunni’s prior audits having been completed before the exploit, the vulnerability in the smart contract’s logic remained undetected until attackers exposed it during the breach.
Security firms including Hacken and CertiK quickly mobilized to trace the complex web of transactions, while Bunni’s team issued public acknowledgments emphasizing transparency and containment measures.
This incident unfortunately aligns with broader trends in DeFi exploitation, contributing to August’s staggering $163 million in losses across sixteen separate events.
