An error in Bunni’s smart contracts had an attacker steal around $ 2.3 million in stablecoins, forcing the decentralized exchange to stop all activities while investigating the infringement.
Summary
- Bunni Dex was operated for around $ 2.3 million in stablecoins after an attacker manipulated his adapted liquidity distribution function.
- The stolen funds were consolidated in a single Ethereum wallet with $ 1.33 million in USDC and $ 1.04 million in USDT.
- The incident follows a wave of Augustus exploits that caused $ 163 million in losses, resulting in the total losses of 2025 more than $ 3.1 billion.
The decentralized Exchange Bunni suffered a violation of security on Tuesday 2 September 2025. The exchange announced The exploitation via an X message, adding that it put all smart contract functions in each network to prevent further damage.
“The Bunni app has been hit by a security exploitation. As a precaution, we have paused all smart contract functions on all networks. Our team will be actively investigating and will soon offer updates.”
Blockchain Security Firm Blocksec was one of the first to mark the suspicious activities and noted that an attacker operated an error in Bunni’s contracts to dispose of funds.
The attacker carried out a series of carefully size transactions designed to use Bunni’s Liquidity distribution function (LDF), an adapted mechanism that replaces the standard logic of Uniswap, making it possible to spread the liquidity more and more complex trade strategies.
Each of these transactions skewed the rebalance logic of the swimming pool, so that the attacker could take more tokens out than actually available. The attacker repeated this cycle several times and let the safes off until they reached around $ 2.3 million in stablecoins.
Unclean facts Shows that the stolen assets are in a single Ethereum portion that now have $ 1.33 million in USDC (USDC) and $ 1.04 million in USDT (USDT).
The attack was at a peak for Bunni. The exchange, which was launched in February and works on both Ethereum and Unichain with the help of Uniswap V4 technology, had just reached a local peak with around $ 60 million in his safes at the end of August. It was also one of the strongest months of Bunni, with trade volumes of $ 1 billion.
The incident marks the first major Defi-exploit in September and will follow a series of high-profile hacks that the industry had already shaken in August.
Bunni Hack adds to the mounting of crypto exploits in 2025
August stood out as one of the most harmful months of the year for Defi and Crypto platforms. As previously reported by crypto.news, losses of hacks and exploits reached around $ 163 million for 16 incidents in August. This was a sharp increase compared to July, when around $ 142 million was lost.
The biggest hits came from a Social Engineering attack that stable $ 91 million from a Bitcoin -Walvis and a second major violation of the Turkish exchange BTCTurk that struck around $ 48 million.
The Gulf of Augustus exploits made it one of the most expensive months of 2025 for the industry. This builds on an already significant impact of the first half of the year, with total losses that exceed $ 3.1 billion, well above $ 2.2 billion registered for the whole of 2024.
