Bunni Exploit Results in $2.4 Million Loss
Decentralized exchange Bunni has suffered a security exploit, resulting in the loss of approximately $2.4 million in stablecoins. Attackers manipulated the platform’s liquidity calculations, as detailed by on-chain data provided by several Web3 security firms.
“The Bunni app has been affected by a security exploit,” the team acknowledged on X on Tuesday. “As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon,” they further stated.
The attack was directed at Bunni’s Ethereum-based smart contracts. Funds were siphoned off to an address holding $1.33 million in USDC (USD) and $1.04 million in USDT (USDt).
Bunni core contributor @Psaul26ix urged users to withdraw their funds from the platform immediately. “If you have money on Bunni remove it ASAP,” they posted on X.
Initial Analysis of the Vulnerability
Although a comprehensive technical post-mortem is still pending, early assessments from developers and researchers indicate a flaw in how Bunni manages liquidity rebalancing.
More Read
Bunni, which is built on Uniswap v4, employs a unique mechanism called the Liquidity Distribution Function (LDF) rather than relying on Uniswap’s default logic. This approach allows Bunni to enhance liquidity allocation across various price ranges, aiming to boost returns for liquidity providers.
According to Victor Tran, co-founder of KyberNetwork, the attacker could manipulate the LDF curve by executing trades of particular sizes that activated flawed rebalancing logic. “The exploiter figured out they could manipulate this LDF by making trades of very specific sizes,” Tran noted on X. “These carefully chosen amounts caused the rebalancing calculation to break, yielding incorrect results for how much each LP share should own,” he added.
The attacker seemingly executed the exploit multiple times, gradually draining the protocol’s funds without raising immediate alarms.
Trends in Crypto Attacks
In August, crypto hackers and scammers stole over $163 million across 16 separate incidents, representing a 15% increase from July’s $142 million. While this figure remains 47% lower compared to the previous year, it indicates a concerning rise in targeted attacks as crypto markets continue to gain momentum.
PeckShield and other cybersecurity experts have observed a strategic shift in hacker behavior, with attackers now concentrating on centralized exchanges and high-value individuals, instead of smaller, decentralized targets.
The most significant loss in August stemmed from a social engineering attack, where a Bitcoiner was deceived into sending 783 BTC (valued at $91 million) to attackers masquerading as support agents from a crypto exchange and hardware wallet provider.
