Bunni DEX’s smart contracts fell silent across multiple blockchain networks this week after hackers exploited a precision bug in the platform’s custom Liquidity Distribution Function, making off with approximately $8.4 million in what has become another cautionary tale about the perils of building proprietary logic atop established protocols.
The attackers demonstrated remarkable sophistication, executing precisely calibrated trades that manipulated Bunni’s rebalancing logic to access tokens far exceeding their legitimate entitlements. This wasn’t your garden-variety flash loan attack—the exploit targeted a fundamental flaw in how the platform’s custom LDF recalculated liquidity positions, effectively bypassing Uniswap v4‘s standard mechanisms that might have otherwise provided safeguards.
Most of the carnage occurred on Unichain, though Ethereum users weren’t spared from the digital bloodbath. The hackers showed particular fondness for stablecoins, mainly draining USDT and USDC reserves before methodically laundering $2.37 million through Aave and other DeFi protocols. One has to admire their efficiency, if not their ethics.
Bunni’s response followed the standard playbook: immediate contract suspension, urgent withdrawal advisories, and the requisite social media damage control within hours of detection. The platform’s $50-60 million total value locked took a predictable beating, though the reputational damage may prove more enduring than the financial losses. The team also offered a 10% bounty to the attacker in hopes of recovering the remaining stolen funds.
The vulnerability apparently stemmed from modifications to Bunni’s smart contract code that escaped previous audit scrutiny—a reminder that even thoroughly vetted protocols can harbor hidden risks when developers venture beyond established frameworks. The precision bug in their proprietary rebalancing logic created an opening that attackers exploited with surgical precision.
Even thoroughly audited protocols can harbor lethal vulnerabilities when developers stray from battle-tested frameworks into uncharted proprietary territory.
This breach contributes to a troubling pattern where 56.5% of 2025’s DeFi exploits have targeted retail investors, highlighting the ongoing tension between innovation and security in decentralized finance. While institutional players increasingly adopt core-satellite strategies emphasizing safety, retail users often bear the brunt of experimental protocol risks. Many affected users have turned to privacy-focused solutions to protect their remaining assets while the investigation continues.
The hackers’ initial fund movements avoided heavy obfuscation, suggesting either confidence in their escape routes or simple operational efficiency. By the time Bunni detected the breach, substantial portions of the drained funds had already begun their journey through the labyrinthine world of DeFi laundering protocols.
