Bunni, a decentralized exchange built on Uniswap v4, has paused all smart contract functions following a major security breach that drained an estimated $8.4 million in cryptocurrency across multiple blockchain networks. The exploit primarily targeted BunniHub, the platform's main contract system.
Blockchain security firm CertiK reported that $2.3 million was stolen from Ethereum-based contracts, while additional losses occurred on Uniswap Labs' layer-2 network Unichain, bringing the total to approximately $8.4 million. The stolen funds have been traced to two Ethereum wallets.
According to on-chain data from multiple Web3 security firms, the attack involved the manipulation of Bunni's Liquidity Distribution Function (LDF), a custom mechanism that replaces Uniswap's default logic. Victor Tran, co-founder of KyberNetwork, explained that the attacker executed trades of specific sizes that triggered faulty rebalancing calculations, allowing them to gradually drain protocol funds without immediately triggering alarms.
The stolen assets included $1.33 million in USDC and $1.04 million in USDT. Bunni core contributor @Psaul26ix urgently advised users to withdraw their funds from the platform immediately, stating "If you have money on Bunni remove it ASAP."
The incident occurs amid a concerning trend in crypto security, with August seeing over $163 million stolen across 16 separate incidents, representing a 15% increase from July's $142 million in losses.