Flaw in Liquidity Logic Leaves Users at Risk
Decentralized exchange Bunni has paused all smart contracts after suffering a major exploit that drained about $2.4 million in stablecoins. The breach targeted the platform’s custom liquidity distribution function, prompting urgent warnings for users to withdraw funds.
According to on-chain security reports, the attacker manipulated Bunni’s Ethereum-based smart contracts, siphoning $1.33 million in USDC and $1.04 million in USDT to a single wallet.
“The Bunni app has been affected by a security exploit,” the team announced on X, adding that all contract operations are suspended across networks as investigations continue.
Bunni urged users to remove funds immediately, with a core contributor stating: “If you have money on Bunni, remove it ASAP.”
How the Attack Worked
Bunni operates on Uniswap v4 but uses a custom mechanism called Liquidity Distribution Function (LDF) instead of the standard model. The LDF was designed to optimize liquidity across price ranges, but researchers found it contained a critical flaw in rebalancing logic.
Victor Tran, co-founder of KyberNetwork, explained:
“The exploiter figured out they could manipulate this LDF by making trades of very specific sizes. These trades broke the calculation for liquidity shares, allowing the attacker to drain funds.”
The attacker executed multiple transactions to avoid detection, steadily emptying liquidity pools.
Bunni routes liquidity through Euler Finance, but the lending protocol clarified that it was not impacted by the exploit. CEO Michael Bentley confirmed that Euler’s systems remain secure, easing concerns about a wider contagion.
Crypto Hacks Continue to Surge
This incident adds to a worrying trend. August alone saw $163 million stolen across 16 exploits, a 15% increase from July, according to PeckShield. While losses are still 47% lower year-over-year, targeted attacks on DeFi platforms and centralized exchanges are becoming increasingly sophisticated.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.