Bunni DEX Exploit — September 2, 2025
Overview
In September 2025, Bunni, a decentralized exchange (DEX) based on Uniswap v4, was the victim of an $8.4 million hack. About $6 million was drained on Unichain and $2.4 million on Ethereum.
Attack Mechanism
The attackers performed a flashloan attack to exploit the protocol across the Ethereum and Unichain blockchains. In both cases, the attack began with a flashloan and then made multiple, carefully crafted swaps from one token to another.
The Bunni hack was made possible by a rounding error within the protocol's withdraw function. The developers believed that rounding a key value down would cause the idle balance to increase; however, the opposite occurred. As a result, an attacker was able to carefully manipulate the pool to withdraw a disproportionate number of tokens from the pool while burning less liquidity.
Affected Pools
Only two pools appear affected by the exploit:
• USDC/USDT pair on Ethereum mainnet
• ETH/weETH pair on Unichain
Aftermath
Bunni is shutting down after the $8.4 million exploit left the team without resources to recover. The team said it cannot afford the cost of relaunching the protocol, which would require significant investment in audits and development. Bunni's team has open-sourced its v2 smart contracts under the MIT license. That allows other developers to leverage features like surge fees, liquidity distribution functions and automated rebalancing, which were part of Bunni's infrastructure.
Sources