A significant security breach has hit the decentralized exchange Bunni, resulting in an estimated loss of $2.3 million on the Ethereum blockchain. The incident, which occurred on September 2, 2025, was flagged by blockchain security scanner Blocksec Phalcon, indicating that there was unauthorized access to Bunni’s smart contracts, although the specific method employed by the attackers has not yet been revealed.
In a tweet, Blocksec Phalcon alerted users: “Our system detected a suspicious transaction targeting @bunni_xyz’s contract on #Ethereum, and the loss is ~$2.3M. Please take actions ASAP.” Following the detection of the exploit, investigators found that funds were transferred to the address 0xE04e…64f2b, which contained tokens from Aave, specifically Ethereum USDC and USDT.
In response to the exploit, the Bunni protocol swiftly announced a pause of all smart contract operations across its networks. The team assured its users that they were investigating the breach and vowed to keep them updated. A message shared via social media stated, “The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.”
Bunni operates as a decentralized exchange (DEX), facilitating peer-to-peer crypto trading without reliance on a centralized intermediary. The platform heavily utilizes smart contracts, which are integral in managing transactions. The breach has raised concerns regarding the security of smart contracts, with experts emphasizing the importance of robust defenses against vulnerabilities that can arise from coding errors, blockchain weaknesses, and flaws in programming languages.
Michael Bentley, Co-founder and CEO of Euler Labs, advised users to withdraw their funds from Bunni immediately. He assured that while Bunni interacts with Euler protocols, the latter remains unaffected by the exploit.
The breach highlights the ongoing risks associated with smart contracts. According to blockchain security firm CertiK, vulnerabilities in these contracts contributed to over $686 million in losses in 2023 alone. Experts from Apex have pointed out that ensuring the safety of smart contracts can involve only engaging with those audited by reputable firms and restricting token approval permissions to mitigate wallet-draining exploits.
As the investigation continues, the incident serves as a stark reminder of the imperative for heightened security measures within decentralized financial ecosystems, prompting users and developers alike to remain vigilant in protecting their digital assets.
