$2.4 Million Vanishes from Bunni DEX in Targeted Liquidity Exploit

Security researchers reviewing blockchain records confirmed that the loss occurred due to a flaw in how Bunni calculates liquidity distribution.

The incident was confirmed by the Bunni team on X on September 2, where they announced the shutdown of all smart contract activity across supported blockchains while the situation is under review.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Harmony ONE Explained (Beginner-Friendly Animation)

SUBSCRIBE

ON YOUTUBE

Funds were drained from Bunni’s Ethereum ETH $4,321.83 contracts and moved into a single wallet. This wallet currently holds around $1.33 million in USDC USDC $0.9986 and another $1.04 million in USDT USDT $0.9980 .

Following the event, Bunni contributor @Psaul26ix urged users to exit the platform immediately and warned them to remove any remaining assets from its pools.

Bunni relies on Euler Finance to manage its lending and structured product offerings. Despite the connection, Euler’s CEO, Michael Bentley, made it clear that Euler’s own protocol was not impacted.

Instead of using the default Uniswap UNI $9.58 logic, Bunni uses its own Liquidity Distribution Function (LDF), designed to spread liquidity across different price levels to help providers earn better returns. However, this function appears to have been at the core of the issue.

Victor Tran, the co-founder of KyberNetwork, explained that the attacker had discovered a way to trick the system by making trades of exact sizes, which caused errors in the liquidity rebalancing process.

On September 1, attackers exploited a security flaw to steal WLFI tokens from Ethereum ETH wallets. How? Read the full story.