Bunni DEX Drained in $2.3M Smart Contract Exploit

Highlights:

• Bunni lost $2.3 million in a smart contract exploit attack.
• The vulnerability came from its Liquidity Distribution Function.
• The exploiter moved funds to Aave, converting to stablecoins and ETH.

Bunni, a decentralized exchange built on Ethereum and Uniswap V4, lost $2.3 million when a security breach let hackers take advantage of a flaw in its liquidity mechanism. The attack happened early on Tuesday, and Certik’s on-chain analysts immediately identified it.

The attacker siphoned stablecoins, mostly USDC and USDT, from Bunni’s protocol. These assets were then sent through other decentralized finance (DeFi) platforms and finally deposited into Aave, a well-known lending platform that runs on Ethereum. According to the blockchain data, the wallet of the exploiter held $1.33 million of USDC and $1.04 million of USDT after the exploit.

#CertiKInsight 🚨

We have identified a $2.3M exploit on the @bunni_xyz BunniHub contract.https://t.co/lZB0vzSMQx

The exploiter has exfiltrated funds to 0xe04efd87f410e260cf940a3bcb8bc61f33464f2b.

Stay Vigilant!

— CertiK Alert (@CertiKAlert) September 2, 2025

Liquidity Distribution Function Caused the Smart Contract Exploit

At the center of the attack was a weakness in Bunni’s Liquidity Distribution Function (LDF). Bunni’s LDF is different from Uniswap’s default method because it tries to increase returns by moving liquidity around between different price ranges. This method was innovative, but it had a big flaw. 

Security researchers exposed the attacker’s approach to exploiting this function, which involved trades of very specific sizes. These trades messed up the LDF’s rebalancing logic, which made a mistake when calculating the value of liquidity provider (LP) shares. This allowed the attacker to receive more tokens than they should have been able to.

Victor Tran, the co-founder of KyberNetwork, said that the attacker “figured out they could manipulate the LDF by making trades of very specific sizes.” By doing these exact transactions over and over again, the exploiter was able to slowly take money without setting off any automated alarms. Furthermore, this smart contract exploit revealed a precision bug that could have arisen from a recent update to Bunni’s codebase. Despite the exploit, Bunnie had been audited previously.

1. Bunni is a liquidity hook that runs on top of UniswapV4. Instead of using UniswapV4’s normal system, Bunni has its own liquidity curve called LDF (Liquidity Distribution Function).

2. After each trade, Bunni checks if its LDF curve has changed since the last trade. If it has,… https://t.co/uCSWXyuAt2

— Victor Tran (@vutran54) September 2, 2025

Funds Routed Through Aave Following Exploit

After successfully extracting funds from Bunni, the attacker transferred them via several DeFi protocols. Eventually, the stolen assets landed in Aave, which deposited them into lending pools, making tracing and recovery more difficult. Analysts were able to confirm that the attacker’s final wallet held large balances in Aave USDC and USDT assets. Shortly after the exploit was discovered, at 3:04 a.m., Bunni’s team posted a statement on X confirming the breach.

The post reads:

“The Bunni app has been compromised with a security exploit. For the safety of users, we have paused all smart contract functions on all networks.”

Bunni engages with Euler Finance to handle some of its liquidity. However, Euler Labs CEO Michael Bentley explained that their protocol was not impacted by the exploit. He reassured users that none of the Euler systems were compromised during the incident.

The timing of the attack was notable. Bunni had just surpassed $60 million in total value locked and more than $1 billion in trading volume in August. Immediately following the attack, BUNNI prices dropped more than 35% within an hour. Further research into the full extent of the exploit is still underway. This incident happened in the midst of a general increase in crypto-related hacks. Over $163 million was lost in 16 crypto-related incidents during the month of August alone. This was a 15% increase from the previous month.