Decentralized substitute (DEX) BunniXYZ has reportedly misplaced $8.4 million to a liquidity-basically based entirely security exploit.
In conserving with on-chain security company Hacken, $6 million of the DEX’s funds was stolen by the Unichain blockchain and $2.4 million by Ethereum. All Unichain funds were then bridged to Ethereum using the Loyal by draw of Protocol.
Confirming the assault in a tweet, BunniXYZ said that it had paused all orderly contract activity on its network and was “actively investigating” the conditions of the assault. It added that it will provide updates soon.
🚨 The Bunni app has been plagued by a security exploit. As a precaution, we contain paused all orderly contract functions on all networks. Our crew is actively investigating and will contain to provide updates soon. Thanks for your patience.
— Bunni (@bunni_xyz) September 2, 2025
Based in February 2025, BunniXYZ is in line with automatic market maker Uniswap v4, and basically uses the Ethereum and Unichain blockchains. It for the time being has a inaccurate-chain Total Mark Locked (TVL) of appropriate form over $50 million basically based entirely on DeFiLlama, though it exceeded $80 million at one level earlier this August.
Michael Bentley, co-founder of lending protocol Euler, immediate users to remove their funds from Bunni in a tweet, alongside side that whereas the DEX rebalances funds in and out of Euler, the lending protocol is “no longer affected or at threat.” Euler continued a valuable exploit of its enjoy in 2023 that saw hackers steal near to $200 million, the huge majority of which was later recovered.
What took place?
In conserving with on-chain analyst Victor Tran, co-founder of Kyber Community, hackers manipulated Bunni’s “liquidity curve,” additionally identified as its LDF (Liquidity Density Draw). Here’s the diagram that calculates how great extra liquidity exists all by draw of the factitious and rebalances its liquidity pool to set up the upright ratio of tokens.
1. Bunni is a liquidity hook that runs on top of UniswapV4. As a replacement of using UniswapV4’s fashionable diagram, Bunni has its enjoy liquidity curve known as LDF (Liquidity Distribution Draw).
2. After every alternate, Bunni assessments if its LDF curve has modified since the last alternate. If it has,… https://t.co/uCSWXyuAt2
— Victor Tran (@vutran54) September 2, 2025
Tran said hackers manipulated this LDF “by making trades of very particular sizes.” This triggered the rebalancing calculation to ruin, producing unsuitable results for how great every liquidity pool part will contain to enjoy.
By repeating this direction of, hackers allegedly withdrew more tokens than they can ought to had been ready to from Bunni.
Bunni itself has no longer yet confirmed the mechanism within the help of the assault.
