Decentralized alternate BunniXYZ has reportedly misplaced $8.4 million to a liquidity-based safety exploit.
The DEX has paused all good contract exercise on its community and is “actively investigating” the assault.
Hackers reportedly manipulated Bunni’s “liquidity curve,” also referred to as its LDF, to hold out the exploit.
Decentralized alternate (DEX) BunniXYZ has reportedly misplaced $8.4 million to a liquidity-based safety exploit.
Based on on-chain safety agency Hacken, $6 million of the DEX’s funds was stolen by way of the Unichain blockchain and $2.4 million by way of Ethereum. All Unichain funds have been then bridged to Ethereum utilizing the Throughout Protocol.
Confirming the assault in a tweet, BunniXYZ mentioned that it had paused all good contract exercise on its community and was “actively investigating” the circumstances of the assault. It added that it might present updates quickly.
🚨 The Bunni app has been affected by a safety exploit. As a precaution, we now have paused all good contract capabilities on all networks. Our staff is actively investigating and can present updates quickly. Thanks on your persistence.
Based in February 2025, BunniXYZ is predicated on automated market maker Uniswap v4, and primarily makes use of the Ethereum and Unichain blockchains. It at the moment has a cross-chain Complete Worth Locked (TVL) of simply over $50 million based on DeFiLlama, although it exceeded $80 million at one level earlier this August.
Michael Bentley, co-founder of lending protocol Euler, suggested customers to take away their funds from Bunni in a tweet, including that whereas the DEX rebalances funds out and in of Euler, the lending protocol is “not affected or in danger.” Euler endured a serious exploit of its personal in 2023 that noticed hackers steal practically $200 million, the majority of which was later recovered.
What occurred?
Based on on-chain analyst Victor Tran, co-founder of Kyber Community, hackers manipulated Bunni’s “liquidity curve,” also referred to as its LDF (Liquidity Density Perform). That is the system that calculates how a lot additional liquidity exists throughout the alternate and rebalances its liquidity pool to maintain the precise ratio of tokens.
1. Bunni is a liquidity hook that runs on high of UniswapV4. As an alternative of utilizing UniswapV4’s regular system, Bunni has its personal liquidity curve known as LDF (Liquidity Distribution Perform).
2. After every commerce, Bunni checks if its LDF curve has modified because the final commerce. If it has,… https://t.co/uCSWXyuAt2
Tran mentioned hackers manipulated this LDF “by making trades of very particular sizes.” This prompted the rebalancing calculation to interrupt, producing incorrect outcomes for the way a lot every liquidity pool share ought to personal.
By repeating this course of, hackers allegedly withdrew extra tokens than they need to have been in a position to from Bunni.
Bunni itself has not but confirmed the mechanism behind the assault.
Every day Debrief Publication
Begin on daily basis with the highest information tales proper now, plus authentic options, a podcast, movies and extra.