Tl; DR
- Operating scale: Bunni lost $ 8.4 million after a precision bug left an attacker to drain the liquidity pools on Ethereum and Unichain.
- Attack method: THE The hackers have manipulated liquid distribution calculations with specific commercial sizes to withdraw excess LP tokens.
- Safety problems: Despite the previous audits, the violation raises questions about the current examination of the code and the resilience of the DEFI platform.
Decentralized exchange protocol Rabbitbuilt above Uniswapunderwent a major security violation, causing $ 8.4 million in losses. The feat, identified by several blockchain security companies, has targeted a precision bug in the platform liquidity distribution function, allowing the attacker to drain the funds of liquidity pools through Ethereum and Unichain.
🚨 The bunni application was affected by a safety feat. As a precaution, we have taken a break from all the functions of intelligent contract on all networks. Our team actively investigates and will soon provide updates. Thanks for your patience.
– bunni (@bunni_xyz) September 2, 2025
Quick detection and contractual suspension
The incident was revealed when the Blocksec audit firm reported suspicious transactions involving around $ 2.3 million on Ethereum. In two hours, Bunni confirmed the violation and interrupted all the functions of intelligent contract on each network supported as a precaution. Other Hacken surveys have revealed an additional loss of $ 6 million in Unichainwhich is the united UNISWAP network, increasing the total amount stolen to $ 8.4 million. Compromise funds remain in two known wallet addresses linked to the attacker.
Technical flaw in the distribution of liquidity
According to the CEO of Kyberswap, Victor Tran, vulnerability came from a flaw in the curve of the liquidity distribution function of Bunni. The striker has executed very specific sizes to handle the calculation of rebalancing, producing incorrect results for the sharing allowances of liquidity suppliers. By repeating this process, The operator was able to withdraw excess LP tokens and systematically empty liquidity reserves.
Audit history and unanswered questions
The Bunni code base had already undergone journals by respected security companies, including Trail of Bits and CyfrinWith several reports noting critical results. It is not clear if the exploited bug has been identified in these audits or introduced later. The striker’s transactions left more than 1,000 event newspaperssome containing comments like “Deposit in Euler” And “Unlock the recall”, “ Offer detailed investigators of detailed breadcrumbs in the execution of the feat.
Wider safety context
In the wake of the breach, The co-founder of Euler, Michael Bentley, said that if Bunni rebalances the funds in and out of Euler, the loan protocol of $ 1.5 billion was not affected. In March 2023, Euler was hacked for $ 200 million, stressing the current risks in DEFI. The Bunni feat adds to an increasing list of incidents highlighting the need for rigorous and continuous security measures in decentralized financing platforms.
