The decentralized finance (DeFi) minefield claimed its newest sufferer this morning as Bunni, an change constructed on high of Uniswap, was exploited for a reported $8.4 million.
Based on the Bunni web site, the app “maximizes liquidity provider profits in all market conditions.” At the moment’s losses counsel in any other case.
Roughly two hours after crypto safety audit agency BlockSec raised the alarm over the suspicious transactions, the Bunni crew acknowledged the incident and paused its contracts throughout all networks.
🚨 The Bunni app has been affected by a safety exploit. As a precaution, now we have paused all good contract features on all networks. Our crew is actively investigating and can present updates quickly. Thanks on your persistence.
— Bunni (@bunni_xyz) September 2, 2025
BlockSec had initially flagged losses of round $2.3 million on Ethereum however, when extra audit companies regarded into the incident, the overall shortly grew on different networks.
Hacken recognized an extra $6 million on Unichain, Uniswap’s personal community, bringing the overall to $8.4 million.
The stolen funds stay in two addresses, which include the proceeds from the assaults on Ethereum and Unichain, respectively.
Bunni assault all about precision
The exploit seems to be associated to a precision bug within the platform’s “liquidity distribution function” curve, based on KyberSwap CEO and co-founder Victor Tran’s evaluation.
The bug allowed the hacker to “manipulate this LDF by making trades of very specific sizes.”
The trades “caused the rebalancing calculation to break, giving wrong results for how much each [liquidity provider] share should own.”
The hacker repeated the method, withdrawing extra LP tokens and draining Bunni’s liquidity swimming pools.
Helpfully, for these deciphering the reason for the exploit, the hacker had left over 1,000 logs of occasions throughout the assault transaction, with feedback akin to “Depositing to euler” and “Unlock Callback.”
Bunni’s codebase had been audited by well-respected safety companies together with Path of Bits and Cyfrin, with “critical” findings in most of the experiences.
On the time of writing, it stays unclear whether or not as we speak’s exploit falls below the scope of those audit experiences.
In response to the hack, Euler’s co-founder Michael Bentley was eager to level out that “Bunni rebalances funds in/out of Euler but Euler is not affected or at risk.”
The $1.5 billion DeFi lending large was itself hacked in March 2023 for round $200 million, its complete holdings on the time.
