Decentralized Exchange Bunni Suffers $2.3 Million Smart Contract Exploit
An error in Bunnis Intelligent Contracts enabled an attacker to steal around $2.3 million in stable coins, forcing the decentralized exchange to halt all activities while examining the violation. The incident has raised concerns about the security of decentralized exchanges and the potential risks associated with smart contracts.
Summary of the Incident
The decentralized exchange Bunni suffered a security breach on Tuesday, September 2, 2025, resulting in the theft of approximately $2.3 million in stable coins. The exchange announced the exploit via an X-post and added that all smart contract functions were paused in every network to prevent further damage.
The blockchain security company Blocksec was one of the first to detect the suspicious activities and noted that an attacker exploited a bug in Bunnis to drain funds. According to Blocksec, the attacker performed a series of careful trades that utilized the Liquidity Distribution Function (LDF) of Bunni, a custom mechanism designed to distribute liquidity more evenly across different price ranges and enable more complex trading strategies.
Details of the Exploit
Each of these trades disguised the reversal of the pool, allowing the attacker to pull out more tokens than were actually available. The attacker repeated this cycle several times, triggering the vaults until they reached approximately $2.3 million in stable coins. On-chain data shows that the stolen assets are consolidated into a single Ethereum wallet, with $1.33 million in USDC and $1.04 million in USDT.
The attack came at a critical time for Bunni, which had just reached a local high with around $60 million in total value locked (TVL) at the end of August. The exchange, which was launched in February and is built on Uniswap V4 technology, had also seen significant trading volumes, with over $1 billion in commercial volume.
Impact on the Crypto Industry
The incident marks the first major DeFi exploit in September and follows a series of high-profile hacks in August that shook the industry. According to reports, the losses from hacks and exploits in August reached around $163 million in 16 incidents, a significant increase from July when around $142 million was lost.
The biggest hits came from a social engineering attack, in which a Bitcoin whale was stolen for $91 million, and a second major breach of Turkish exchange Btcturk, which resulted in the loss of around $48 million. The wave of exploits in August made it one of the most expensive months of 2025 for the industry, with total losses exceeding $3.1 billion, far above the $2.2 billion lost in 2024.
For more information on the Bunni exploit and the latest developments in the crypto industry, please visit https://crypto.news/decentralized-exchange-bunni-hit-by-2-3m-smart-contract-exploit/
