bitcoin
Bitcoin (BITCOIN)
$110,748 1.85%
ethereum
Ethereum (ETHEREUM)
$4,304 -0.38%
binancecoin
BNB (BINANCECOIN)
$849.84 0.61%
solana
Solana (SOLANA)
$204.43 3.28%
ripple
XRP (RIPPLE)
$2.80 2.58%
shiba-inu
Shiba Inu (SHIBA-INU)
$0.000012 2.76%
pepe
Pepe (PEPE)
$0.000010 2.58%
bonk
Bonk (BONK)
$0.000020 0.26%
bitcoin
Bitcoin (BITCOIN)
$110,748 1.85%
ethereum
Ethereum (ETHEREUM)
$4,304 -0.38%
binancecoin
BNB (BINANCECOIN)
$849.84 0.61%
solana
Solana (SOLANA)
$204.43 3.28%
ripple
XRP (RIPPLE)
$2.80 2.58%
shiba-inu
Shiba Inu (SHIBA-INU)
$0.000012 2.76%
pepe
Pepe (PEPE)
$0.000010 2.58%
bonk
Bonk (BONK)
$0.000020 0.26%
bitcoin
Bitcoin (BITCOIN)
$110,748 1.85%
ethereum
Ethereum (ETHEREUM)
$4,304 -0.38%
binancecoin
BNB (BINANCECOIN)
$849.84 0.61%
solana
Solana (SOLANA)
$204.43 3.28%
ripple
XRP (RIPPLE)
$2.80 2.58%
shiba-inu
Shiba Inu (SHIBA-INU)
$0.000012 2.76%
pepe
Pepe (PEPE)
$0.000010 2.58%
bonk
Bonk (BONK)
$0.000020 0.26%
Disclosure
Cryptocurrency trading is speculative and your capital is at risk when you trade. We may earn affiliate commissions from some of the products on this page - at no extra cost to you.
Bunni DEX Drained in $2.3M Smart Contract Exploit

Highlights:

  • Bunni lost $2.3 million in a smart contract exploit attack.
  • The vulnerability came from its Liquidity Distribution Function.
  • The exploiter moved funds to Aave, converting to stablecoins and ETH.

Bunni, a decentralized exchange built on Ethereum and Uniswap V4, lost $2.3 million when a security breach let hackers take advantage of a flaw in its liquidity mechanism. The attack happened early on Tuesday, and Certik’s on-chain analysts immediately identified it.

Advertisement

Banner

The attacker siphoned stablecoins, mostly USDC and USDT, from Bunni’s protocol. These assets were then sent through other decentralized finance (DeFi) platforms and finally deposited into Aave, a well-known lending platform that runs on Ethereum. According to the blockchain data, the wallet of the exploiter held $1.33 million of USDC and $1.04 million of USDT after the exploit.

Liquidity Distribution Function Caused the Smart Contract Exploit

At the center of the attack was a weakness in Bunni’s Liquidity Distribution Function (LDF). Bunni’s LDF is different from Uniswap’s default method because it tries to increase returns by moving liquidity around between different price ranges. This method was innovative, but it had a big flaw. 

Security researchers exposed the attacker’s approach to exploiting this function, which involved trades of very specific sizes. These trades messed up the LDF’s rebalancing logic, which made a mistake when calculating the value of liquidity provider (LP) shares. This allowed the attacker to receive more tokens than they should have been able to.

Victor Tran, the co-founder of KyberNetwork, said that the attacker “figured out they could manipulate the LDF by making trades of very specific sizes.” By doing these exact transactions over and over again, the exploiter was able to slowly take money without setting off any automated alarms. Furthermore, this smart contract exploit revealed a precision bug that could have arisen from a recent update to Bunni’s codebase. Despite the exploit, Bunnie had been audited previously.

Funds Routed Through Aave Following Exploit

After successfully extracting funds from Bunni, the attacker transferred them via several DeFi protocols. Eventually, the stolen assets landed in Aave, which deposited them into lending pools, making tracing and recovery more difficult. Analysts were able to confirm that the attacker’s final wallet held large balances in Aave USDC and USDT assets. Shortly after the exploit was discovered, at 3:04 a.m., Bunni’s team posted a statement on X confirming the breach.

The post reads:

“The Bunni app has been compromised with a security exploit. For the safety of users, we have paused all smart contract functions on all networks.”

Bunni engages with Euler Finance to handle some of its liquidity. However, Euler Labs CEO Michael Bentley explained that their protocol was not impacted by the exploit. He reassured users that none of the Euler systems were compromised during the incident.

The timing of the attack was notable. Bunni had just surpassed $60 million in total value locked and more than $1 billion in trading volume in August. Immediately following the attack, BUNNI prices dropped more than 35% within an hour. Further research into the full extent of the exploit is still underway. This incident happened in the midst of a general increase in crypto-related hacks. Over $163 million was lost in 16 crypto-related incidents during the month of August alone. This was a 15% increase from the previous month.

eToro Platform

Best Crypto Exchange

  • Over 90 top cryptos to trade
  • Regulated by top-tier entities
  • User-friendly trading app
  • 30+ million users
9.9

5 Stars

eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.

Advertisement

Banner

Advertisement

Banner

Advertisement

Banner