Ethereum News Today: DeFi Precision Bug Drains $8.4M as Smart Contract Flaw Unveiled

Bunni, a decentralized exchange (DEX) leveraging the UniswapUNI-- V4 framework, suffered a significant security breach on September 2, 2025, resulting in losses of approximately $2.3 million on the EthereumETH-- network alone. The exploit was identified through irregular outflows flagged by on-chain analytics firm CertiK, which traced the unauthorized withdrawals to a specific smart contract within Bunni’s liquidity distribution system [3]. Initial assessments suggest that the attack targeted USDTUSDC-- and USDCUSDC-- vaults, with stolen funds being converted into ether (ETH) and deposited into lending protocols such as AaveAAVE--, where the attacker now holds around $2.3 million in AethUSDC and AethUSDT [3].

The incident was compounded when a broader investigation across multiple blockchains revealed additional losses. According to Hacken, a second $6 million was drained from Bunni’s operations on Unichain, a network developed by Uniswap, bringing the total loss across both chains to $8.4 million [1]. The stolen assets were quickly moved via the Across Protocol in over 100 separate transactions, significantly complicating recovery efforts [2]. The funds were swapped into ETH and distributed across various protocols, further obscuring their trail.

Bunni’s technical team confirmed the breach and immediately paused all smart contract activity across all supported networks, including Ethereum, Unichain, Arbitrum, Base, and BNBBNB-- Smart Chain. The platform stated it is working closely with blockchain forensics experts to trace the stolen assets and investigate the nature of the vulnerability [2]. According to KyberSwap CEO Victor Tran, the exploit involved a precision error in Bunni’s liquidity distribution function (LDF), a critical component of the platform’s rebalancing system [1]. The bug allowed the attacker to manipulate rebalancing calculations, withdrawing more liquidity provider tokens than the platform actually held.

Preliminary forensic analysis suggests that the vulnerability may not have been identified in prior audits conducted by firms such as Trail of Bits and Cyfrin, despite these firms having flagged "critical" issues in Bunni’s codebase [1]. Bunni’s use of a modified LDF—distinct from the standard Uniswap model—appears to have introduced an unforeseen flaw that attackers could exploit through a series of precisely sized trades [3]. The attacker repeated these trades to drain liquidity pools, demonstrating how even minor precision errors in smart contract logic can lead to large-scale financial losses.

The breach has raised broader concerns about security in the DeFi space, particularly for platforms relying on complex cross-chain operations. Bunni’s integration with protocols like Euler and its use of Uniswap V4’s liquidity hooks exemplify the technical sophistication of modern DEXs, yet also expose potential points of failure. Analysts note that as DeFi platforms continue to expand their functionalities, the attack surface for malicious actors grows accordingly. This latest exploit underscores the need for more frequent and comprehensive audits, as well as the adoption of multi-layered security strategies [2].

For users, the incident serves as a cautionary example of the risks inherent in decentralized platforms. Unlike traditional exchanges, DeFi platforms typically lack centralized oversight or insurance mechanisms, leaving users vulnerable to losses from smart contract failures or hacking incidents. Bunni’s swift response in halting trading and cooperating with investigators reflects the industry’s growing emphasis on transparency, but recovery remains uncertain without a clear path to reclaiming the stolen funds [2].

Source:

[1] Uniswap 'hook' Bunni hacked for over $8M after precision ... (https://protos.com/uniswap-hook-bunni-hacked-for-over-8m-after-precision-bug-exploited/)

[2] Bunni Exchange Suffers $8.4 Million Hack Across Unichain ... (https://financefeeds.com/bunni-exchange-suffers-8-4-million-hack-across-unichain-and-ethereum/)

[3] BunniXYZ Ethereum exchange suffers $2.3MMMM-- breach (https://www.mitrade.com/insights/news/live-news/article-3-1087725-20250902)