Bunni DEX, a decentralized exchange powered by Uniswap v4, was exploited on September 2, 2025, leading to losses between $2.4 million and $8.4 million across its liquidity pools. The attack targeted a flaw in the Liquidity Distribution Function (LDF), an alternative rebalancing mechanism designed to optimize liquidity.
Exploit on liquidity logic
According to security researchers, the attacker manipulated transaction values to confuse LDF calculations. This enabled them to drain assets from liquidity pools without triggering immediate alerts. Tokens like UNI and AAVE fell by more than 2% in the aftermath of the exploit.
Operations suspended
Following detection, the Bunni team paused all smart contracts across supported networks including Ethereum, Arbitrum, Base and BNB Smart Chain. In a post on X, project contributor @Psaul26ix warned users: “If you have money on Bunni, remove it ASAP.”
Bounty offer to the attacker
In an unusual step, the team offered a 10% bounty to the exploiter if the stolen funds are returned. The message was published on-chain via Ethereum, reflecting the developers’ pragmatic approach to mitigating losses.
Wider DeFi security concerns
The case adds to a troubling trend in decentralized finance. In August 2025 alone, over $163 million was lost in 16 different exploits, highlighting systemic vulnerabilities in the sector. Despite previous audits by Trail of Bits and Cyfrin, it remains unclear whether the flaw in Bunni’s contracts was identified earlier or introduced later.
The exploit underscores the need for stronger real-time monitoring and more rigorous security standards in DeFi. While innovations like LDF promise efficiency and higher yields, they also expose investors to new, untested risks.
Sources:CoinDesk, Brave New Coin, TradingView
