The decentralized exchange Bunni has announced its permanent closure following a devastating $8.4 million exploit that exposed critical weaknesses in custom liquidity distribution mechanisms. The shutdown, confirmed on October 23, 2025, marks one of the most significant DeFi casualties of the year and raises urgent questions about the sustainability of novel smart contract architectures in decentralized finance.
The Exploit Mechanics
The attack occurred on September 2, 2025, when an attacker identified a vulnerability in Bunni’s proprietary Liquidity Distribution Function (LDF). Unlike many DEXs that build on established Uniswap pool models, Bunni developed its own custom logic to distribute liquidity across multiple price ranges, aiming to deliver better returns for liquidity providers. This custom approach became the protocol’s Achilles heel.
The attacker manipulated the LDF by executing flash loans at precisely calculated trade sizes, exploiting rounding errors in the pool’s rebalancing system. This allowed the attacker to withdraw significantly more assets than they were entitled to. Initial estimates placed losses at $2.3 to $2.4 million on Ethereum, but subsequent investigations by QuillAudits and Halborn uncovered an additional $5.9 million drained from Unichain liquidity pools, bringing total losses to over $8.4 million.
The stolen assets, primarily USDC and USDT stablecoins, were consolidated into a single wallet before being moved through bridges and swapped into other assets, making recovery efforts extremely difficult.
Affected Systems
Bunni operated as a DEX built on top of Uniswap V4-style pools across both Ethereum and Unichain. At its peak, the protocol managed approximately $60 million in total value locked. Following the exploit, TVL plummeted to near zero as users rushed to withdraw remaining funds.
The exploit’s impact extends beyond Bunni itself. According to a Hacken report, blockchain hacks in 2025 have caused $3.1 billion in cumulative losses. The Bunni incident adds to a growing list of DeFi protocols that have been compromised through novel attack vectors targeting custom smart contract logic rather than well-tested, battle-hardened code.
With Bitcoin trading at approximately $110,069 and Ethereum at $3,856 at the time of the shutdown announcement, the broader crypto market remained relatively stable, suggesting that the exploit’s impact was largely contained within DeFi liquidity circles.
The Mitigation Strategy
Bunni’s team cited prohibitive recovery costs as the primary reason for the permanent shutdown. Audit and monitoring expenses for a potential relaunch would run into six to seven figures, an amount the team deemed unaffordable given the depleted treasury. Instead, the focus shifted to facilitating user withdrawals and cooperating with forensic experts to trace the stolen funds.
For the broader DeFi ecosystem, the Bunni exploit underscores the critical importance of rigorous security practices when deploying custom smart contract logic. Protocols that deviate from established, audited architectures must invest in comprehensive testing, including formal verification of mathematical functions like liquidity distribution algorithms.
Lessons Learned
The Bunni shutdown offers several critical takeaways for DeFi participants and developers. First, custom smart contract logic carries inherently higher risk than battle-tested code. The LDF was a novel approach to liquidity management, but its mathematical complexity created exploitable edge cases that standard audits failed to catch.
Second, cross-chain deployments amplify risk exposure. The initial exploit on Ethereum was only part of the story, as the Unichain deployment suffered even greater losses. Protocols operating across multiple chains must ensure that each deployment receives equivalent security scrutiny.
Third, flash loan attack vectors remain one of the most potent threats to DeFi protocols. Any mechanism that calculates balances or distributions based on transient state is potentially vulnerable to flash loan manipulation.
User Action Required
Current and former Bunni users should immediately withdraw any remaining funds from the protocol’s liquidity pools while withdrawals remain possible. The team has been explicit about the risks of leaving assets in the compromised contracts. Users should also monitor official Bunni communications for updates on fund recovery efforts and potential legal proceedings. For DeFi users more broadly, this incident serves as a reminder to evaluate protocol risk beyond TVL and yield metrics, paying close attention to the maturity and audit history of underlying smart contract infrastructure.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
$60M TVL to near zero in one transaction. the DeFi space keeps repeating the same mistake of complexity over security
Marta V. shutting down entirely instead of patching the LDF tells me the codebase was probably worse than anyone outside the team knew
Permissionless lending is still the most powerful use case in crypto
DeFi yields are finally sustainable without token emissions
DeFi TVL recovery shows the fundamentals are stronger than ever
Real yield protocols are separating from the Ponzi-nomics era
Liquid staking derivatives are the backbone of modern DeFi
custom LDF with rounding errors and zero formal verification. $8.4M stolen from what was basically a math homework problem
anon_yield_ math homework is generous. this was a multi million dollar protocol running on unverified distribution logic. the audit either didnt happen or was worthless
building custom liquidity distribution logic instead of using proven Uniswap v3 ranges was the original sin. every novel AMM design eventually hits the same wall of untested edge cases
flash loan attacks exploiting rounding errors in rebalancing is such an old attack vector. how does a team building novel AMM math not model for precision attacks