In short
Decentralized trade Bunni introduced its everlasting shutdown Wednesday, saying it lacks the capital for a safe relaunch requiring six to seven figures in audit bills alone.
The September 2 hack drained $8.4 million by flash mortgage manipulation and rounding errors, with stolen funds remaining unmoved in Twister Money-funded wallets.
Customers can nonetheless withdraw property, and Bunni pledged to distribute remaining treasury to token holders whereas relicensing its v2 contracts from BUSL to MIT.
Decentralized trade Bunni has introduced it’s completely shutting down following an $8.4 million hack final month, with founders saying they lack the capital wanted for a safe relaunch that will value six to seven figures in audit and monitoring bills alone.
Bunni introduced the everlasting shutdown on Wednesday, citing insurmountable restoration prices following the assault that exploited the platform’s Liquidity Density Operate throughout two swimming pools, weETH/ETH on Unichain and USDC/USDT on Ethereum.
The assault drained roughly $8.4 million in complete from the 2 swimming pools, based on Bunni’s autopsy report. The stolen funds have been bridged to Ethereum following the exploit.
“It’d additionally take months of growth & BD effort simply to get Bunni again to the place it was earlier than the exploit, which we can’t afford,” the DEX tweeted. “Thus, we’ve got determined it is best to close down Bunni.”
Customers can proceed withdrawing funds by the web site whereas the group finalizes the authorized course of for treasury distribution, excluding its personal members from the payout, the assertion mentioned.
“This hack exhibits the trade in no unsure phrases that customized liquidity logic wants exhaustive testing, as flash loans introduce low-risk exploits,” Kadan Stadelmann, Chief Expertise Officer at Komodo Platform, informed Decrypt.
“The exploit consisted of three steps: swap with flashloaned funds, numerous tiny withdrawals, after which a sandwich assault,” the DEX famous within the autopsy report.
Flash loans allow borrowing giant quantities with out collateral inside a single transaction, whereas sandwich assaults revenue from artificially manipulating costs round goal trades.
The attacker first flashborrowed 3M USDT then made a number of swaps from USDT to USDC, and the spot worth tick of the pool was pushed to 5000, similar to 1 USDC = 1.68 USDT, the report famous.
“The attacker’s use of flash loans is notable from an AML lens. Flash loans allow actors to entry giant quantities of liquidity with out collateral and repay inside a single transaction,” Dmitry Machikhin, CEO of BitOK, informed Decrypt.
“Following the hack, it’s extremely probably the proceeds have been layered throughout a number of chains to distance them from their illicit origin,” he added.
The trade confirmed it plans to distribute remaining treasury property to BUNNI, LIT, and veBUNNI holders primarily based on a snapshot, pending authorized validation.
“The Bunni v2 good contracts have been relicensed from BUSL to MIT, enabling everybody to make the most of our improvements corresponding to LDFs, surge charges, and autonomous rebalancing,” the group famous, including they hope their technological contributions will profit the broader DeFi ecosystem.
Bunni famous it is working with regulation enforcement to recuperate property and has despatched an on-chain message providing the attacker 10% of the stolen funds if the rest is returned, a proposal that went unanswered.
Bunni’s breach provides to 2025’s mounting crypto safety disaster, with hackers stealing over $2 billion in digital property this yr, based on blockchain analytics agency Elliptic.
North Korea-linked hackers account for almost all of these losses, marking the most important annual complete on document.
Each day Debrief Publication
Begin each day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.
