By Bunni DEX shuts down after $8.4M DeFi exploit
In a new blow for the decentralized finance industry, Bunni has announced its closure following a severe exploit that halted its operations.
Summary
- Bunni DEX has shut down after losing $8.4M in a September exploit.
- Users can still withdraw assets, with a treasury distribution planned.
- Its smart contracts were open-sourced under the MIT license.
Bunni, the decentralized exchange known for its liquidity innovations, has officially shut down following a major exploit that drained over $8.4 million in user funds.
The decision was announced on Oct. 23 via the project’s official X account, where the team said the hack had halted growth and left the project unable to afford a secure relaunch. The closure marks the end of one of DeFi’s most technically ambitious exchanges built on Uniswap (UNI) V4 hooks.
Hack leaves project unable to recover
The attack, which targeted Bunni’s primary Ethereum (ETH) and Unichain smart contracts, took place in early September. Attackers exploited a vulnerability in the project’s Liquidity Distribution Function, a feature designed to optimize liquidity provider returns, allowing them to withdraw more assets than entitled through flash loan manipulation and rounding errors.
Roughly $8.4 million was drained, mostly in USDC and USDT, before the team froze contract operations. A 10% bounty was offered to recover the funds, but the attacker never responded. Despite earlier audits by Trail of Bits and Cyfrin, the bug was classified as a “logic-level flaw” rather than an implementation error.
Since the hack, Bunni’s total value locked has dropped from over $60 million to near zero, with trading and development activity grinding to a halt.
Open-source farewell and user compensation plan
In its shutdown statement, the Bunni team said it would have required “six to seven figures” in audit and monitoring costs, plus months of redevelopment, to safely resume operations, an expense it could not meet.
Users will still be able to withdraw funds through the Bunni website until further notice. Remaining treasury assets will be distributed to BUNNI, LIT, and veBUNNI holders based on a snapshot once the legal process concludes. Team members will be excluded from the distribution.
As a final move, Bunni relicensed its v2 smart contracts from BUSL to MIT, making its technologies, including LDFs, surge fees, and autonomous rebalancing, freely available to other developers. The team said it continues to work with law enforcement to recover stolen funds.
The shutdown adds to a difficult year for blockchain security, with over $3.1 billion lost in hacks and exploits so far in 2025.
