Bunni DEX, a cutting-edge decentralized trade constructed on Uniswap v4, fell sufferer to a serious safety breach on September 2, 2025. Hackers drained an estimated $8.four million from the platform by exploiting a vulnerability in its customized liquidity administration system.
The assault focused Bunni’s modern Liquidity Distribution Operate (LDF), a specialised mechanism the platform makes use of as an alternative of ordinary Uniswap protocols. Inside hours of detecting the breach, Bunni’s team suspended all good contract operations throughout a number of blockchain networks as a security measure.
How the Assault Unfolded
The exploit centered on Bunni’s customized LDF system, which manages how liquidity will get distributed throughout totally different worth ranges. This method was designed to spice up returns for liquidity suppliers, however hackers discovered a strategy to manipulate it.
Victor Tran, co-founder of KyberNetwork, explained the attack technique on social media. The hacker executed trades utilizing very particular quantities that confused Bunni’s rebalancing calculations. These fastidiously chosen commerce sizes precipitated the system to miscalculate how a lot every liquidity supplier ought to personal from the pool.
By repeating this course of a number of instances, the attacker regularly withdrew extra tokens than they had been entitled to. The stolen funds totaled roughly $2.four million from Ethereum and $6 million from Unichain, Uniswap’s layer-2 community. The hacker then moved all funds to Ethereum utilizing the Throughout Protocol bridging system.
Supply: @bunni_xyz
Safety agency Hacken tracked the stolen belongings to particular pockets addresses. The funds included $1.33 million in USDC and $1.04 million in USDT stablecoins, in accordance with blockchain data.
Bunni’s Response and Restoration Efforts
Following the assault, Bunni took instant motion to guard remaining person funds. The staff paused all good contract features throughout supported networks, together with Ethereum, Base, Arbitrum, and BNB Good Chain.
Supply: @bunni_xyz
Core contributor @Psaul26ix urged customers to withdraw their funds instantly. “When you’ve got cash on Bunni, take away it ASAP,” they posted on social media.
In an uncommon transfer, Bunni provided the hacker a 10% bounty in trade for returning the stolen funds. The staff despatched an on-chain message by way of the Ethereum community, together with contact particulars for potential negotiations.
Associate protocols moved shortly to reassure customers about their security. Michael Bentley, CEO of Euler Finance, confirmed that his lending protocol remained unaffected regardless of channeling liquidity by way of Bunni. Different DeFi platforms monitoring the scenario additionally reported no influence on their operations.
The Rise and Fall of a DeFi Chief
Earlier than the hack, Bunni had established itself because the dominant pressure within the rising Uniswap v4 ecosystem. The platform managed three of the highest 4 positions on HookRank, a rating system for Uniswap v4 hooks, and processed practically 59% of all tracked buying and selling quantity throughout these new protocols.
Bunni’s success got here from its modern method to liquidity provision. The platform’s re-hypothecation hook allowed deposited tokens to earn cash in two methods: from buying and selling charges and from lending to different protocols concurrently. This twin earnings stream attracted vital liquidity from buyers looking for increased returns.
The platform’s flagship ETH-USDC 1.1 pool on Base blockchain generated over $80 million in buying and selling quantity throughout a 30-day interval, regardless of having comparatively low complete worth locked. This effectivity created an annual proportion yield of two,690% for liquidity suppliers in that particular pool.
Bunni additionally launched Liquidity Density Features that stored fuel prices fixed no matter worth actions, fixing a serious drawback with earlier Uniswap variations. The platform automated place administration and guarded towards sure forms of MEV assaults that drain worth from peculiar customers.
Safety Challenges in DeFi Innovation
The Bunni incident highlights ongoing safety challenges in decentralized finance. The platform had beforehand undergone safety evaluations by revered corporations together with Path of Bits and Cyfrin. Nevertheless, it stays unclear whether or not the exploited vulnerability was recognized in these audits or launched by way of later code modifications.
This assault suits right into a troubling sample of DeFi exploits. August 2025 noticed over $163 million stolen throughout 16 separate incidents, representing a 15% improve from the earlier month. The DeFi sector has misplaced greater than $300 million to hacks and scams over the previous two months alone.
Safety specialists be aware that attackers have gotten extra refined, usually concentrating on newer protocols with complicated mechanisms. The customized nature of Bunni’s LDF system, whereas modern, created an assault floor that normal protocols won’t have.
The Uniswap v4 ecosystem, the place Bunni operates, stays largely experimental. Solely about 32% of v4 liquidity swimming pools use hooks like Bunni’s, and simply 8% of swaps move by way of these enhanced protocols. This early-stage atmosphere combines excessive innovation potential with elevated safety dangers.
Trying Ahead
The Bunni exploit serves as a reminder that innovation in decentralized finance comes with vital dangers. Whereas the platform pioneered new approaches to liquidity administration that generated spectacular returns, these similar improvements created vulnerabilities that hackers may exploit.
The incident could gradual adoption of Uniswap v4 hooks within the brief time period as builders evaluation safety practices. Nevertheless, the underlying expertise continues to point out promise, with the Uniswap Basis committing over $144 million in incentives to assist hook growth.
For customers, the assault reinforces the significance of understanding the dangers concerned in utilizing cutting-edge DeFi protocols. Whereas increased returns are potential, they usually include elevated publicity to good contract vulnerabilities and different technical dangers that conventional finance doesn’t face.
Sven Luiv Sven Luiv Read More
