TLDR
- BunniXYZ, an Ethereum-based decentralized exchange, suffered a $2.3M loss due to a smart contract exploit.
- The hacker targeted the USDT and USDC vaults, draining funds through the Ethereum ecosystem.
- BunniXYZ’s Liquidity Distribution Function vulnerability allowed the attacker to withdraw more tokens than owned.
- After the exploit, the hacker swapped stolen funds for ETH and moved them through DeFi protocols.
- BunniXYZ responded quickly by halting all smart contracts to prevent further damage.
BunniXYZ, an Ethereum-based decentralized exchange (DEX), suffered a significant loss of $2.3 million due to a smart contract exploit. The attack targeted the exchange’s liquidity functions, draining mostly stablecoins like USDT and USDC. On-chain investigations confirmed that the hacker exploited a vulnerability in the DEX’s liquidity distribution system.
BunniXYZ’s Smart Contract Vulnerability Exploited
BunniXYZ operates on Ethereum and Unichain, utilizing Uniswap V4 technology. The exchange faced an exploit in one of its smart contracts, allowing the hacker to manipulate liquidity distribution. The hacker targeted USDT and USDC vaults, draining the funds through the Ethereum network.
We have identified a $2.3M exploit on the @bunni_xyz BunniHub contract.https://t.co/lZB0vzSMQx
The exploiter has exfiltrated funds to 0xe04efd87f410e260cf940a3bcb8bc61f33464f2b.
Stay Vigilant!
— CertiK Alert (@CertiKAlert) September 2, 2025
The vulnerability stemmed from an issue in BunniXYZ’s Liquidity Distribution Function (LDF). This function, which recalculates liquidity, allowed the attacker to withdraw more tokens than they should have. The smart contract’s flaw caused it to miscalculate the liquidity pool, resulting in the loss of funds.
The hacker executed multiple transactions to accumulate $2.3 million before converting the stolen funds to ETH. The attacker then deposited the ETH into Aave, holding a balance of $1.33 million in AethUSDC and $1 million in AethUSDT. BunniXYZ responded promptly by closing all smart contracts to prevent further damage.
Attack Leads to Draining of Stablecoins
The exploit mainly affected stablecoins, with USDT and USDC being the primary targets. The attacker was able to drain these stablecoins by exploiting the flawed recalculation process in BunniXYZ’s smart contract. Once the tokens were extracted, the hacker swapped them for Ethereum and moved the funds through decentralized finance (DeFi) protocols.
In the hour following the attack, the hacker avoided moving or mixing the funds. The initial transaction movements were limited to DeFi swaps, with no immediate effort to obscure the stolen assets. By the time BunniXYZ identified the breach, the hacker had already transferred a substantial portion of the funds.
Despite the relatively small scale of the attack, the breach caused significant damage to the BunniXYZ platform. The DEX was growing rapidly, having reached a peak of $60 million in locked value by the end of August. This breach not only resulted in financial loss but also harmed the platform’s reputation, affecting its future growth prospects.
BunniXYZ Responds to the Exploit
Following the hack, BunniXYZ immediately halted all smart contracts. The response was swift, with the platform seeking to prevent further loss of funds. BunniXYZ had previously undergone audits, but the exploit likely emerged from a new version of its code.
🚨 The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.
— Bunni (@bunni_xyz) September 2, 2025
The hack highlights the risks involved in complex liquidity systems within decentralized exchanges. BunniXYZ’s vulnerability may have been a result of a precision bug in the new liquidity recalculation system. As investigations continue, the focus remains on improving security measures to prevent future exploits on platforms like BunniXYZ.
