Bunni DEX Shuts Down After $8.4M Hack, Cites Audit Costs

The September 2 attack that ultimately doomed Bunni exploited the platform’s innovative Liquidity Density Function across two critical pools: weETH/ETH on Unichain and USDC/USDT on Ethereum. According to Bunni’s detailed post-mortem report, the sophisticated attack drained approximately $8.4 million through a combination of flash loan manipulation and rounding errors. The exploit consisted of three distinct phases: initial swaps using flash-loaned funds, numerous tiny withdrawals to exploit rounding mechanisms, and finally a sandwich attack to maximize profits from artificial price manipulation.

The technical breakdown reveals the attacker first flash-borrowed 3 million USDT, then executed multiple swaps from USDT to USDC, deliberately pushing the pool’s spot price tick to 5000—equivalent to 1 USDC trading for 1.68 USDT. This manipulation created the conditions for the subsequent exploitation. Following the attack, the stolen funds were bridged to Ethereum and remain unmoved in Tornado Cash-funded wallets, effectively laundering the illicit gains through the privacy-focused protocol.

Kadan Stadelmann, Chief Technology Officer at Komodo Platform, emphasized the broader implications for the DeFi industry, telling Decrypt that ‘This hack shows the industry in no uncertain terms that custom liquidity logic needs exhaustive testing, as flash loans introduce low-risk exploits.’ The incident demonstrates how even sophisticated DeFi protocols remain vulnerable to well-orchestrated attacks leveraging common DeFi mechanisms.

Despite its closure, Bunni is taking steps to ensure its technological contributions benefit the broader DeFi ecosystem. The team announced it has relicensed its v2 smart contracts from BUSL to MIT, making innovations like Liquidity Density Functions, surge fees, and autonomous rebalancing available for public use. This open-source approach represents a silver lining in the platform’s demise, potentially advancing DeFi technology even as Bunni itself ceases operations.

The platform is also working with law enforcement to recover the stolen assets and has sent an on-chain message offering the attacker a 10% bounty—approximately $840,000—for returning the remaining funds. This offer went unanswered, reflecting the challenges of recovering stolen cryptocurrency once it enters mixing services like Tornado Cash. Meanwhile, the team is finalizing legal processes to distribute remaining treasury assets to BUNNI, LIT, and veBUNNI token holders based on a snapshot, explicitly excluding team members from the payout.

Bunni’s breach contributes significantly to 2025’s mounting crypto security crisis, with blockchain analytics firm Elliptic reporting that hackers have stolen over $2 billion in digital assets this year alone. Alarmingly, North Korea-linked hackers account for the majority of these losses, marking the largest annual total on record. The Bunni incident serves as a stark reminder of the persistent security challenges facing decentralized finance and the enormous costs of proper protection in an increasingly hostile digital environment.