BTC 
ETH 
XRP 
USDT 
BNB 
SOL 
USDC 
DOGE 
TRX 
ADA 
After suffering a devastating $8.4 million hack, decentralized exchange protocol Bunni DEX has officially announced its shutdown. This marks the second crypto project to fold in October, following Kadena Organization’s recent decision to halt operations amid mounting difficulties.
The $8.4 Million Exploit: How It Happened
-
The attack occurred on September 2, when a hacker exploited a rounding-direction bug in Bunni’s smart contract withdrawal logic.
-
The exploiter used flashloans, micro-withdrawals, and sandwich attacks to manipulate pool liquidity and extract profits from distorted swap data.
-
Two major pools — weETH/ETH on Unichain and USDC/USDT on Ethereum — were severely affected. The largest pool, Unichain USDC/USD₮0, narrowly escaped due to insufficient flashloan liquidity.
Following the breach, Bunni’s Total Value Locked (TVL) plummeted from $50.82 million to $1.3 million within a month — a 97.44% collapse, according to DefiLlama.
Failed Recovery Efforts: Bunni Bows Out
-
The team previously offered a “10% bounty” deal, allowing the hacker to keep a portion of the funds if the rest were returned — but negotiations failed.
-
In its final update, Bunni cited the immense financial strain caused by the attack, noting that a relaunch would require extensive audits, security monitoring, and redevelopment, costing hundreds of thousands to millions of dollars.
-
“We’re a small team of six who spent years and millions building Bunni. But the losses are too great — we have no choice but to shut it down,” the team said.
Next Steps: Refunds and Legal Action
-
Users can still withdraw their funds through Bunni’s official website.
-
The remaining treasury will be distributed to BUNNI, LIT, and veBUNNI holders, excluding team members, based on a snapshot.
-
Distribution details will be released once legal proceedings conclude, while the team continues to cooperate with law enforcement in tracking the attacker.
A Legacy Left Behind
-
The Bunni v2 smart contracts have been relicensed from BUSL to MIT, allowing developers to freely use innovations like LDFs, surge fees, and autonomous rebalancing.
-
“Even though Bunni is ending, we believe our work has pushed the AMM ecosystem forward by a generation,” the team added.
DeFi’s Rough Season
According to recent data, the crypto industry lost $127.06 million in 20 major exploits during September alone. Beyond security concerns, volatile market conditions have also forced several projects out of the space — the most recent being Kadena, which officially ceased business operations, leaving its blockchain in the hands of independent miners.
Bunni DEX’s demise serves as a stark reminder that in the DeFi world, a single line of vulnerable code can bring down an entire billion-dollar dream.
