In September 2025, attackers systematically drained $8.4 million from Bunni DEX by exploiting a vulnerability in the platform’s custom Liquidity Distribution Function—a feat that required understanding not just the intricacies of Uniswap v4‘s hook architecture, but also the specific rebalancing logic that Bunni’s developers had implemented across two networks.
The sophistication of this exploit lies in its surgical precision. Rather than brute-forcing their way through standard smart contract vulnerabilities, the attackers demonstrated an intimate familiarity with Bunni’s implementation of Uniswap v4’s “hooks” feature, which allows for customizable pool behavior. Through calibrated trades that manipulated the rebalancing logic, they methodically drained liquidity from targeted stablecoin pools—$6 million from Unichain’s layer-2 infrastructure and $2.4 million from Ethereum mainnet.
The laundering operation proved equally methodical. Attackers swapped portions of the stolen funds to ETH before bridging across chains via the Across Protocol, creating a labyrinthine trail that complicated forensic analysis. Bridge transactions further obscured the path of $2.37 million as it flowed through Aave lending pools and various decentralized exchanges. Security firm CertiK reported additional forensic analysis confirming the scale of losses on the Ethereum network specifically.
Bunni DEX’s response was swift, if drastic: complete operational shutdown across all supported networks. The BunniHub contract system, which managed the platform’s liquidity distribution mechanisms, fell silent as developers initiated emergency protocols and forensic investigations. Trading and liquidity provision functionalities remain suspended indefinitely.
This incident illuminates the precarious position of DeFi protocols pioneering novel liquidity mechanisms without exhaustive security vetting. The exploit’s success hinged on what security researchers classify as a “custom LDF” vulnerability—a category that traditional smart contract audits might overlook precisely because it involves bespoke logic rather than common implementation flaws. GoPlus Chinese community first raised awareness of the security breach through their alert system on September 2.
The timing couldn’t be worse for DeFi’s reputation. August 2025 alone witnessed $163 million stolen from various protocols, making Bunni’s $8.4 million loss another substantial contribution to the year’s mounting tally of institutional-grade thefts. Unlike traditional stock markets with established regulatory oversight, crypto assets operate through blockchain networks with minimal consumer protection, leaving investors particularly vulnerable to such sophisticated attacks.
For liquidity providers and retail investors, the incident serves as a stark reminder that innovation in decentralized finance often comes with the implicit understanding that users are beta testing financial infrastructure in real-time—with real money at stake.
