While Bunni DEX had recently celebrated surpassing $60 million in total value locked and crossing the $1 billion trading volume milestone in August 2025, the decentralized exchange discovered that rapid growth can make platforms particularly attractive targets when hackers drained approximately $8.4 million in stablecoins through an exploit that would have been almost comedic in its precision if not for the devastating financial consequences.
The attack exploited a precision bug within Bunni’s custom Liquidity Distribution Function—specifically targeting the rebalancing logic that governed how trades were processed and liquidity recalculated. Rather than executing a dramatic smash-and-grab operation, the attackers demonstrated exceptional patience, conducting repeated, precisely-sized transactions that systematically depleted funds without triggering the platform’s automated security systems.
The hackers’ surgical precision in exploiting the rebalancing logic demonstrated a patience that bordered on artisanal craftsmanship.
One wonders whether the hackers possessed more intimate knowledge of the protocol’s mechanics than some of its own developers.
The vulnerability emerged despite prior audits, likely surfacing following recent codebase updates that inadvertently introduced the flaw. Attackers primarily targeted USDT and USDC from Bunni’s vaults, then orchestrated a sophisticated laundering operation through various DeFi protocols, particularly Aave. The stolen stablecoins were converted into Ethereum and distributed across lending pools, creating a labyrinthine trail that greatly complicated recovery efforts.
Initial damage assessments ranged between $2.3 million and $8.4 million, reflecting either incomplete early evaluations or differences in affected contracts—a discrepancy that hardly inspires confidence in real-time monitoring capabilities.
The platform immediately suspended all smart contract operations across networks, while the BUNNI token plummeted over 35% within an hour of the attack’s disclosure. The incident occurred amid a broader surge in crypto-related security breaches, with August losses exceeding $163 million across 16 separate incidents. This attack highlights the ongoing evolution of cyber tactics that continue to threaten crypto markets and platforms globally.
The timing proved especially brutal, occurring just as Bunni had established itself as a legitimate competitor in the DEX landscape. The exploit’s sophistication—leveraging complex interactions between Bunni’s liquidity protocols and external DeFi lending platforms—suggests either insider knowledge or exhaustive reverse-engineering efforts.
Community contributors urged immediate fund withdrawals as forensic analysis continues, though the platform’s reputation has sustained damage that may prove more costly than the actual financial losses. The incident serves as another reminder that in DeFi, yesterday’s audit provides little comfort against tomorrow’s exploit.
