A recent exploit has forced decentralized exchange Bunni to pause its smart contracts after a vulnerability allowed an attacker to take around $2.4 million in stablecoins.
Security researchers reviewing blockchain records confirmed that the loss occurred due to a flaw in how Bunni calculates liquidity distribution.
The incident was confirmed by the Bunni team on X on September 2, where they announced the shutdown of all smart contract activity across supported blockchains while the situation is under review.
Did you know?
Subscribe – We publish new crypto explainer videos every week!
What is Terra Luna? History & Crash Explained (ANIMATED)
Funds were drained from Bunni’s Ethereum
$4,297.59
contracts and moved into a single wallet. This wallet currently holds around $1.33 million in USDC
$1.00
and another $1.04 million in USDT
$1.00
.
Following the event, Bunni contributor @Psaul26ix urged users to exit the platform immediately and warned them to remove any remaining assets from its pools.
Bunni relies on Euler Finance to manage its lending and structured product offerings. Despite the connection, Euler’s CEO, Michael Bentley, made it clear that Euler’s own protocol was not impacted.
Instead of using the default Uniswap
$9.38
logic, Bunni uses its own Liquidity Distribution Function (LDF), designed to spread liquidity across different price levels to help providers earn better returns. However, this function appears to have been at the core of the issue.
Victor Tran, the co-founder of KyberNetwork, explained that the attacker had discovered a way to trick the system by making trades of exact sizes, which caused errors in the liquidity rebalancing process.
On September 1, attackers exploited a security flaw to steal WLFI tokens from Ethereum ETH wallets. How? Read the full story.
