Bunni DEX Exploit Forces $2.4M Loss and Contract Pause

September 2, 2025 — Decentralized exchange Bunni has paused all smart contracts after a Bunni DEX exploit drained around $2.4 million in stablecoins. The attack targeted a flaw in Bunni’s Liquidity Distribution Function (LDF), its custom liquidity mechanism built on Uniswap v4.

Bunni DEX Exploit: How It Happened

On Tuesday, Bunni confirmed the Bunni DEX exploit via a post on X, stating that all contract functions were paused across networks as a precaution. Core contributor @Psaul26ix urged users to withdraw funds immediately.

Onchain data showed attackers drained Ethereum-based smart contracts, transferring funds to an address holding $1.33 million in USDC and $1.04 million in USDT.

Initial analysis suggests the vulnerability came from Bunni’s Liquidity Distribution Function (LDF). Designed to optimize liquidity allocation across price ranges, the LDF mechanism was instead manipulated by attackers who executed trades of specific sizes. These trades disrupted rebalancing calculations, giving the attacker incorrect share ownership and enabling gradual fund extraction.

Victor Tran, co-founder of KyberNetwork, noted that the exploit highlighted the risks of customizing proven models: “Exploiter figured out they could manipulate this LDF by making trades of very specific sizes. These amounts broke the rebalancing logic, giving wrong results for LP shares.”

Bunni’s Response and Community Warnings

Bunni halted contracts across all networks and has yet to publish a full post-mortem. The team confirmed that the incident did not affect Euler Finance, which channels liquidity through Bunni. Still, the team strongly advised users to withdraw assets.

Michael Bentley, Euler’s co-founder and CEO, clarified that the incident only impacted Bunni’s custom logic and did not compromise Euler’s protocol.

Wider Trend: Hacks on the Rise

The Bunni DEX exploit adds to a concerning rise in crypto hacks. In August alone, attackers stole $163 million across 16 incidents, a 15% increase from July. While still 47% lower year-over-year, the trend reflects renewed hacker activity as markets strengthen.

August’s largest single loss came from a $91 million social engineering scam in which a Bitcoiner was tricked by attackers posing as support staff. Analysts also note a shift toward targeting centralized exchanges and high-value individuals, while DeFi protocols remain vulnerable to smart contract flaws.

Extra Context: Balancing Innovation and Security

Bunni’s exploit underscores the risks DeFi projects face when customizing liquidity mechanisms. While Uniswap v4 offers robust, tested logic, deviations such as LDF can create new attack vectors if not stress-tested thoroughly.

For users, the incident reinforces the importance of monitoring project audits, onchain warnings, and community alerts. For developers, it highlights the growing need to balance innovation with rigorous, adversarial testing before deploying custom features to mainnet.

Conclusion

The $2.4 million Bunni DEX exploit highlights the ongoing risks facing DeFi protocols that experiment with custom mechanics. While Bunni’s pause may contain further losses, the event adds to a rising wave of 2025 exploits, reminding builders and investors alike that innovation without security can carry heavy costs.