A flaw in Bunni’s smart contracts let an attacker steal around $2.3 million in stablecoins, forcing the decentralized exchange to halt all activity while it investigates the breach.
Summary
- Bunni DEX was exploited for about $2.3 million in stablecoins after an attacker manipulated its custom Liquidity Distribution Function.
- The stolen funds were consolidated into a single Ethereum wallet holding $1.33 million in USDC and $1.04 million in USDT.
- The incident follows a wave of August exploits that caused $163 million in losses, bringing 2025’s total losses above $3.1 billion.
The decentralized exchange Bunni suffered a security breach on Tuesday, September 2, 2025. The exchange announced the exploit via an X post, adding that it halted all smart contract functions across every network to prevent further damage.
“The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon.”
Blockchain security firm BlockSec was one of the first to flag the suspicious activity, noting that an attacker was exploiting a flaw in Bunni’s contracts to drain funds.
The attacker executed a series of carefully sized trades designed to exploit Bunni’s Liquidity Distribution Function (LDF), a custom mechanism that replaces Uniswap’s default logic, aiming to spread liquidity more evenly across different price ranges and allow for more complex trading strategies.
Each of these trades skewed the pool’s rebalance logic, allowing the attacker to pull out more tokens than actually available. Repeating this cycle multiple times, the attacker drained the vaults until they reached approximately $2.3 million in stablecoins.
On-chain data shows the stolen assets are in a single Ethereum wallet now holding $1.33 million in USDC (USDC) and $1.04 million in USDT (USDT).
The attack came at a high point for Bunni. The exchange, which launched in February and operates on both Ethereum and Unichain using Uniswap V4 technology, had just reached a local peak with around $60 million locked in its vaults at the end of August. It was also one of Bunni’s strongest months yet, with trading volumes topping $1 billion.
Marking the first major DeFi exploit of September, the incident follows a string of high-profile hacks in August that had already shaken the industry.
Bunni hack adds to mounting crypto exploits in 2025
August stood out as one of the most damaging months of the year for DeFi and crypto platforms. As previously reported by crypto.news, losses from hacks and exploits in August reached about $163 million across 16 incidents. This was a sharp rise from July, when about $142 million was lost.
The biggest hits came from a social engineering attack that stole $91 million from a Bitcoin whale and a second major breach at Turkish exchange BtcTurk that drained around $48 million.
August’s wave of exploits made it one of the most costly months of 2025 for the industry. This builds on an already significant impact from the first half of the year, with total losses surpassing $3.1 billion, well above the $2.2 billion recorded for all of 2024.
