Bunni DEX Paused Following $2.4M Exploit of Liquidity Function
The decentralized exchange (DEX) Bunni has been hit by a significant security exploit, resulting in the loss of approximately $2.4 million in stablecoins. The attack, which targeted the platform's Ethereum-based smart contracts, allowed an attacker to drain funds from the protocol.
The incident was confirmed by the Bunni team on Tuesday, who announced that they had paused all smart contract functions on all networks as a precautionary measure. "The Bunni app has been affected by a security exploit," the team stated. "As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon."
The attack is believed to have occurred due to a flaw in the platform's custom liquidity logic, specifically in how it handles liquidity rebalancing. According to early analysis from developers and researchers, the attacker was able to manipulate the Liquidity Distribution Function (LDF) curve by executing trades of specific sizes that triggered faulty rebalancing logic.
"Exploiter figured out they could manipulate this LDF by making trades of very specific sizes," said Victor Tran, co-founder of KyberNetwork. "These carefully chosen amounts caused the rebalancing calculation to break, giving wrong results for how much each LP share should own."
The attacker appears to have executed the exploit multiple times, gradually draining the protocol's funds without immediately triggering alarms. As part of their response to the exploit, the Bunni protocol team has offered a 10% bounty to the attacker in exchange for the return of the remaining stolen funds.
How Bunni Fell Victim to the Hack
Bunni, built on top of Uniswap v4, uses a custom mechanism called Liquidity Distribution Function (LDF) instead of Uniswap's default logic. This mechanism allows Bunni to optimize liquidity allocation across price ranges, aiming to increase returns for liquidity providers.
The Attack
The attacker was able to exploit the LDF curve by executing trades of specific sizes that triggered faulty rebalancing logic. The attackers drained funds to an address holding $1.33 million in USDC (USDC) and $1.04 million in USDt (USDT).
Consequences and Response
The attack has prompted the Bunni team to pause all smart contract functions on all networks, with the aim of investigating and resolving the issue.
"If you have money on Bunni, remove it ASAP," warned @Psaul26ix, a core contributor to the platform. "The situation is critical."
Euler Finance Clarifies Protocol Affected
Euler co-founder and CEO Michael Bentley clarified that the protocol itself remains unaffected by the exploit.
"We take the security of our users very seriously," said Bentley. "We are working closely with the Bunni team to understand the root cause of the issue and implement measures to prevent similar attacks in the future."
Rise in Crypto Hacks
The incident is part of a growing trend of crypto hacks, which have seen significant losses in recent months. In August alone, hackers stole over $163 million across 16 separate incidents, marking a 15% increase from July's $142 million.
Shift in Hacker Behavior
PeckShield and other cybersecurity experts noted a strategic shift in hacker behavior, with attackers now focusing on centralized exchanges and high-value individuals, rather than smaller, decentralized targets.
"The rise of targeted attacks highlights the need for increased security measures in the crypto space," said [Name], a cybersecurity expert. "We must work together to prevent these types of incidents and protect our users' assets."