Decentralized exchange Bunni has lost more than $2.3 million in stablecoins after a targeted exploit. On-chain analysts at Blocksec confirm the attack focused on weaknesses in Bunni’s Ethereum-based smart contracts.
The incident, which comes amid news of a user of Venus Protocol losing ~$27M to a phishing scam, raises fresh concerns about the risks in decentralized finance platforms that use custom-built liquidity systems.
Bunni has paused all smart contract functions while urging users to withdraw funds and secure their assets.
Attack details and platform response
The attacker drained funds into the address “0xe04…64f2b,” now holding $1.33 million in USDC and $1.04 million in USDT.
Core contributor @Psaul26ix warned users on X to remove their funds immediately to avoid further loss.
Bunni confirmed the exploit in a 3:04 a.m. post on Tuesday, stating it paused all smart contract functions across networks. Developers are investigating and promised more details once the cause is fully identified.
The platform, built on Uniswap v4, is designed to boost liquidity provider returns with adaptive pools and incentive tokens. However, its architecture appears to have left vulnerabilities that were exploited by the attacker.
Liquidity mechanism under scrutiny
At the center of the exploit is Bunni’s Liquidity Distribution Function, a custom system intended to optimize liquidity across price ranges.
Unlike Uniswap’s default logic, this mechanism rebalances pools in a way that attackers learned to manipulate.
Victor Tran, co-founder of KyberNetwork, explained that trades of very specific sizes disrupted the LDF’s rebalancing calculations.
These trades produced incorrect liquidity share values, letting the exploiter drain funds gradually without triggering immediate alarms.
The attacker repeated the process until more than $2.3 million in stablecoins was extracted. On-chain data shows that the method allowed stealthy execution across multiple transactions.
Bunni channels liquidity through Euler Finance, a decentralized lending protocol. Euler’s co-founder and CEO, Michael Bentley, confirmed that Euler itself was unaffected, stressing that the issue was confined to Bunni.
Bunni’s team continues to investigate the exploit and has yet to release a full technical breakdown. Until then, operations remain frozen, and users are warned to take precautions.
The incident underscores how innovative DeFi models can expose protocols to sophisticated attacks, leaving security as the most urgent priority.