Bunni, a decentralised exchange (DEX) once popular for its liquidity solutions, has officially announced the shutdown of its operations following a devastating exploit that drained over $8.4 million in user funds. The breach, which occurred in September, targeted Bunni’s Ethereum and Unichain smart contracts by exploiting a critical flaw in the platform’s Liquidity Distribution Function (LDF). The attackers reportedly manipulated flash loans and rounding errors to siphon more assets than they legitimately held, causing irreversible damage to the protocol.
In a statement shared with users, the Bunni team expressed deep regret over the closure, citing the enormous cost of restarting safely as the main obstacle. The team estimated that recovery would require extensive audits and monitoring worth six to seven figures—resources currently beyond their reach. “It is with saddened hearts that we announce the shutdown of Bunni,” the team wrote, acknowledging that months of development and operational work had been lost to the exploit.
The attack primarily drained stablecoins such as USDC and USDT before Bunni’s developers froze all contract operations. Despite offering a 10% bounty to the hacker in hopes of recovering part of the stolen funds, the hacker did not respond. Interestingly, previous audits by cybersecurity firms Trail of Bits and Cyfrin had not flagged the flaw as critical, describing it instead as a “logic-level” issue, which made it harder to detect and prevent.
Following the exploit, Bunni’s total value locked (TVL) plummeted from over $60 million to virtually zero, effectively halting all trading and development activity. Although the exchange has ceased operations, users are still able to withdraw their remaining assets through the official Bunni website. The team also announced plans to distribute the remaining treasury assets to holders of BUNNI, LIT, and veBUNNI tokens once the necessary legal processes are finalised. Notably, team members have excluded themselves from this distribution to prioritise affected users.
In a final act of transparency, Bunni has changed the license of its v2 smart contracts from the Business Source License (BUSL) to the open MIT license. This move allows other developers to freely adopt and build upon Bunni’s innovations, including its Liquidity Distribution Functions, surge fees, and automated rebalancing mechanisms. The team noted that it is still cooperating with law enforcement agencies in an ongoing effort to trace and recover the stolen funds.
The shutdown marks another blow to decentralised finance in 2025, a year that has already seen more than $3.1 billion lost to hacks and exploits, according to cybersecurity firm Hacken. Bunni’s demise underscores the persistent vulnerabilities facing even well-audited DeFi platforms, as the industry continues its struggle to balance innovation with security.
