Cointelegraph by Amin Haqshanas
Decentralized exchange Bunni fell victim to an exploit, losing about $2.4 million in stablecoins after attackers manipulated the platform’s liquidity calculations, according to onchain data by multiple Web3 security firms.
“The Bunni app has been affected by a security exploit,” its team confirmed on X on Tuesday. “As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon,” the team added.
The attack targeted Bunni’s Ethereum-based smart contracts. Funds were drained to an address holding $1.33 million in USDC (USDC) and $1.04 million in USDt (USDT).
Bunni core contributor @Psaul26ix asked users to withdraw funds from the platform as soon as possible. “If you have money on Bunni, remove it ASAP,” they wrote on X.
Bunni channels liquidity through Euler Finance, a decentralized lending platform that enables users to borrow, lend and design structured crypto products. In light of the exploit, Euler co-founder and CEO Michael Bentley clarified that the protocol itself remains unaffected by the exploit.
Cointelegraph reached out to Bunni and Euler for comment, but had not received a response by publication.
Related: Indian court sentences 14 to life in Bitcoin extortion case
How Bunni fell victim to the hack
While a technical post-mortem remains incomplete, early analysis from developers and researchers points to a flaw in how Bunni handles liquidity rebalancing.
Bunni, built on top of Uniswap v4, uses a custom mechanism called Liquidity Distribution Function (LDF) instead of Uniswap’s default logic. This mechanism allows Bunni to optimize liquidity allocation across price ranges, aiming to increase returns for liquidity providers.
According to Victor Tran, co-founder of KyberNetwork, the attacker was able to manipulate the LDF curve by executing trades of specific sizes that triggered faulty rebalancing logic.
“Exploiter figured out they could manipulate this LDF by making trades of very specific sizes,” Tran wrote on X. “These carefully chosen amounts caused the rebalancing calculation to break, giving wrong results for how much each LP share should own,” he added.
The attacker appears to have executed the exploit multiple times, gradually draining the protocol’s funds without immediately triggering alarms.
Related: Criminals are ‘vibe hacking’ with AI at unprecedented levels: Anthropic
Crypto hacks top $163 million in August
In August, crypto hackers and scammers stole over $163 million across 16 separate incidents, marking a 15% increase from July’s $142 million. While the figure is still 47% lower year-over-year, it reflects a troubling rise in targeted attacks as crypto markets gain momentum.
PeckShield and other cybersecurity experts noted a strategic shift in hacker behavior, with attackers now focusing on centralized exchanges and high-value individuals, rather than smaller, decentralized targets.
The largest loss in August came from a social engineering attack, where a Bitcoiner was tricked into sending 783 BTC (worth $91 million) to attackers posing as support agents from a crypto exchange and hardware wallet provider.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why
