Loading Search...
Bunni DEX exploit drains $2.4M via liquidity flaw, forcing the DeFi platform to pause contracts. Hack adds to $163M in crypto losses in August
Author: Akshat Thakur
September 2, 2025 — Decentralized exchange Bunni has paused all smart contracts after a Bunni DEX exploit drained around $2.4 million in stablecoins. The attack targeted a flaw in Bunni’s Liquidity Distribution Function (LDF), its custom liquidity mechanism built on Uniswap v4.
On Tuesday, Bunni confirmed the Bunni DEX exploit via a post on X, stating that all contract functions were paused across networks as a precaution. Core contributor @Psaul26ix urged users to withdraw funds immediately.
Onchain data showed attackers drained Ethereum-based smart contracts, transferring funds to an address holding $1.33 million in USDC and $1.04 million in USDT.
Initial analysis suggests the vulnerability came from Bunni’s Liquidity Distribution Function (LDF). Designed to optimize liquidity allocation across price ranges, the LDF mechanism was instead manipulated by attackers who executed trades of specific sizes. These trades disrupted rebalancing calculations, giving the attacker incorrect share ownership and enabling gradual fund extraction.
Victor Tran, co-founder of KyberNetwork, noted that the exploit highlighted the risks of customizing proven models: “Exploiter figured out they could manipulate this LDF by making trades of very specific sizes. These amounts broke the rebalancing logic, giving wrong results for LP shares.”
Bunni halted contracts across all networks and has yet to publish a full post-mortem. The team confirmed that the incident did not affect Euler Finance, which channels liquidity through Bunni. Still, the team strongly advised users to withdraw assets.
Michael Bentley, Euler’s co-founder and CEO, clarified that the incident only impacted Bunni’s custom logic and did not compromise Euler’s protocol.
The Bunni DEX exploit adds to a concerning rise in crypto hacks. In August alone, attackers stole $163 million across 16 incidents, a 15% increase from July. While still 47% lower year-over-year, the trend reflects renewed hacker activity as markets strengthen.
August’s largest single loss came from a $91 million social engineering scam in which a Bitcoiner was tricked by attackers posing as support staff. Analysts also note a shift toward targeting centralized exchanges and high-value individuals, while DeFi protocols remain vulnerable to smart contract flaws.
Bunni’s exploit underscores the risks DeFi projects face when customizing liquidity mechanisms. While Uniswap v4 offers robust, tested logic, deviations such as LDF can create new attack vectors if not stress-tested thoroughly.
For users, the incident reinforces the importance of monitoring project audits, onchain warnings, and community alerts. For developers, it highlights the growing need to balance innovation with rigorous, adversarial testing before deploying custom features to mainnet.
The $2.4 million Bunni DEX exploit highlights the ongoing risks facing DeFi protocols that experiment with custom mechanics. While Bunni’s pause may contain further losses, the event adds to a rising wave of 2025 exploits, reminding builders and investors alike that innovation without security can carry heavy costs.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Denaria Perp DEX on Linea Hit by $165K Smart Contract Exploit
Drift Protocol Hacked for $270M in Solana’s Biggest DeFi Exploit
Steakhouse Warns Users of Phishing Attack on Domain
P2P.me Faces Insider Trading Claims After Own Raise Bet
Denaria Perp DEX on Linea Hit by $165K Smart Contract Exploit
Drift Protocol Hacked for $270M in Solana’s Biggest DeFi Exploit
Steakhouse Warns Users of Phishing Attack on Domain
P2P.me Faces Insider Trading Claims After Own Raise Bet
