Bunni DEX Shutters After $8.4 Million Hack as October Claims Another Crypto Project

Decentralized exchange protocol Bunni has officially announced its shutdown after experiencing an $8.4 million exploit last month.

This marks the second crypto project to halt operations in October, following the Kadena Organization, which also decided to step back from its project amid ongoing challenges.

The Bunni Hack: What Happened?

On September 2, an attacker stole $8.4 million from the Bunni exchange. In a detailed post-mortem report, the platform explained that the hacker exploited a rounding-direction bug in the smart contract’s withdrawal logic, using a combination of flashloans, micro-withdrawals, and sandwich attacks.

The vulnerability allowed the attacker to artificially reduce and inflate the pool’s total liquidity, extracting profits from manipulated swaps. Bunni noted that two pools — weETH/ETH on Unichain and USDC/USDT on Ethereum — were affected. However, the largest pool, Unichain USDC/USD₮0, escaped exploitation due to insufficient flashloan liquidity.

“This exploit was a horrible thing that’s been hard on Bunni’s users as well as our team. We’re a small team of 6 people who are passionate about building in DeFi and pushing the industry forward. We spent years of our lives and millions of dollars to launch Bunni, because we firmly believe it is the future of AMMs and will go on to process trillions of dollars in value,” the team wrote.

DefiLlama data showed that after the hack, Bunni’s Total Value Locked (TVL) declined from $50.82 million to just $1.3 million in a month, marking a drop of 97.44%.

Bunni’s TVL Before and After The Hack. Source: DefiLlama

$8.4 Million Exploit Forces DEX to Halt Operations

Despite multiple attempts to recover from the incident, including a proposal to let the attacker keep 10% of the stolen funds if the rest was returned, the attempts proved unsuccessful.

In a recent update, Bunni announced its decision to wind down operations, citing the heavy strain caused by the exploit. The team noted that relaunching would require comprehensive audits and constant monitoring, with estimated costs running hundreds of thousands to millions of dollars, which exceeded available capital.

“It’d also take months of development & BD effort just to get Bunni back to where it was before the exploit, which we cannot afford. Thus, we have decided it’s best to shut down Bunni,” the announcemet reads.

Bunni notified its users that they can withdraw funds through the website. Furthermore, based on a snapshot, the team plans to distribute the remaining treasury assets to BUNNI, LIT, and veBUNNI holders, excluding the team members.

The distribution details will be released after the legal processes are completed. Meanwhile, the team is cooperating with law enforcement in attempts to recover the stolen funds.

“The Bunni v2 smart contracts have been relicensed from BUSL to MIT, enabling everyone to utilize our innovations such as LDFs, surge fees, and autonomous rebalancing. We have pushed the AMM space forward by a generation, and it would be a shame if our efforts went to waste,” the team added.

Crypto platforms and exchanges face mounting threats, with incidents like Bunni’s emphasizing the need for strong security. The industry lost $127.06 million in September, with 20 large-scale attacks recorded.

Besides security reasons, volatile market conditions have also forced platforms to leave the market. Yesterday, the Kadena organization ceased all business operations, leaving the Kadena blockchain to independent miners.