A major security breach has hit the decentralized exchange protocol Bunni, resulting in a staggering loss of $8.4 million. The exploit was identified by multiple blockchain security firms, revealing a precision bug in the platform’s liquidity distribution function that allowed hackers to drain funds from liquidity pools on Ethereum and Unichain.
Bunni’s core team acted quickly following the identification of the exploit. In a communication on social media, they confirmed that they had paused all smart contract functions across every supported network as a precautionary measure. They assured their users that an investigation was underway and promised to provide updates in the near future.
The incident first came to light when the audit firm BlockSec flagged transactions that appeared suspicious, involving around $2.3 million on Ethereum. Bunni responded within two hours to confirm that a breach had occurred. Further analysis conducted by Hacken revealed an additional loss of approximately $6 million on Unichain, further amplifying the total stolen funds to $8.4 million. The compromised assets are believed to be held in two wallets linked to the attacker.
According to Victor Tran, CEO of KyberSwap, the vulnerability was rooted in a flaw within Bunni’s liquidity distribution function curve. The attacker executed trades with highly specific sizes, effectively manipulating the rebalancing calculation and leading to incorrect allocations of liquidity provider shares. This manipulation allowed the hacker to withdraw excess LP tokens, systematically emptying Bunni’s liquidity reserves in the process.
Despite previously undergoing security audits by reputable firms, including Trail of Bits and Cyfrin, the situation raises critical questions regarding the robustness of ongoing code reviews and the overall security of decentralized finance platforms. It remains uncertain whether the exploited bug had been identified during past audits or if it had been introduced at a later stage.
The attacker’s activities produced over 1,000 event logs, with some containing comments such as “Depositing to Euler” and “Unlock Callback,” which offer investigators potential leads into the execution of this exploit.
In the broader security context of decentralized finance, the incident has reverberated within the community. Euler co-founder Michael Bentley stated that while Bunni manages the rebalancing of funds with Euler, the $1.5 billion lending protocol remained unaffected by this breach. This comes in the wake of Euler’s own hacking incident in March 2023, where the platform lost $200 million, emphasizing the ongoing vulnerabilities faced by DeFi platforms. As such, the Bunni exploit serves as yet another reminder of the critical need for rigorous, ongoing security assessments within the space.
