Bunni DEX Faces $2.4M Loss After Liquidity Rebalancing Attack

• Bunni DEX exploit drained $2.4M by targeting liquidity logic through Uniswap v4 hooks.
• Attackers used trades of precise sizes to break calculations and drain stablecoins.
• Crypto hacks rose to $163M in August, showing shifting threats in digital markets.

Decentralized exchange Bunni lost about $2.4 million after attackers exploited vulnerabilities in its Ethereum-based smart contracts. Onchain data from multiple Web3 security firms confirmed the loss of stablecoins USDC and USDT. The attack manipulated Bunni’s liquidity distribution logic, draining funds into an address holding $1.33 million in USDC and $1.04 million in USDT. They exploited weaknesses in the Liquidity Distribution Function (LDF), a feature designed to optimize liquidity across price ranges.

Bunni core contributor @Psaul26ix urged users to withdraw funds. “If you have money on Bunni, remove it ASAP,” they posted. This warning followed concerns that attackers could continue draining assets if liquidity remained in vulnerable pools.

Later, Bunni confirmed the breach in a statement on X. “The Bunni app has been affected by a security exploit,” the team announced. They added that all smart contract functions across networks were paused as a precaution.

Hooks and the Expanding Attack Surface

Bunni operates on Uniswap v4’s hooks system. Uniswap Labs CEO Hayden Adams described hooks as “plugins to customize how pools, swaps, fees, and LP positions interact.” The feature allows protocols to add unique functionality on top of Uniswap’s framework.

Although Uniswap v4 includes advanced features like flash accounting, singleton architecture, and native ETH support, hooks create new attack points. The Bunni exploit demonstrated how customization, while powerful, can increase risk when mechanisms lack thorough testing.

KyberNetwork co-founder Victor Tran detailed how the exploit worked. “Exploiter figured out they could manipulate this LDF by making trades of very specific sizes,” he wrote on X. Tran explained that these trades broke the rebalancing calculation, producing incorrect results for liquidity provider shares.

The attacker repeated the exploit multiple times without triggering immediate alarms, gradually draining millions. This showed how vulnerabilities in custom logic can allow stealth attacks that bypass standard detection systems.

Broader Security Concerns in DeFi

Bunni’s liquidity functions through Euler Finance, which is a loaning and lending agreement that also constructs financial products. Following the attack, Euler founder Michael Bentley explained that Bunni routes liquidity in/out of Euler at times, but Euler itself wasn’t affected. His explanation served as a response to address concerns of a larger contagion meltdown.   

One of the biggest selling points of newer DeFi releases is the addition of advanced features such as automated rebalancing, flexible fee structures, and instant capital availability. But these innovations often introduce new vulnerabilities, since they are rarely stress-tested against real-world attack scenarios. 

Related: Crypto Hacks Hit $163M in August as Attacks Surge 15%

To address such risks, security experts emphasize the importance of preventive measures. Recommended practices include formal audits, adversarial simulations, time-delayed deployments, and well-funded bug bounty programs. These measures, experts note, are critical for hooks and other features that alter asset accounting.

The Bunni incident also fits into a larger trend. According to PeckShield, hackers stole over $163 million across 16 incidents in August, marking a 15% increase from July’s $142 million. Although thefts remain 47% lower year-over-year, attackers appear to be shifting strategies.