Security Breach at Bunni
In a significant security breach, the decentralized exchange Bunni reportedly suffered a loss of approximately $2.4 million in stablecoins due to an exploit that compromised its liquidity calculations. On Tuesday, the Bunni team disclosed the issue via a post on X, confirming that a security breach had occurred and that they had halted all smart contract operations across all networks as a preventive measure.
“Our team is currently investigating the situation and will keep the community updated,” they noted.
Details of the Exploit
The exploit was particularly focused on Bunni’s Ethereum-based smart contracts, resulting in the siphoning of funds to an address that now holds around $1.33 million in USDC and $1.04 million in USDt. In a precautionary message to users, a core contributor urged them to withdraw their funds from the platform at the earliest opportunity, stating,
“If you have money on Bunni, remove it ASAP,”
on the social media platform.
Response and Investigation
Bunni utilizes Euler Finance, a decentralized lending service that facilitates borrowing and lending alongside the development of customized crypto products, to channel its liquidity. In response to this exploit, Michael Bentley, the co-founder and CEO of Euler, confirmed that their protocol itself remained intact and unaffected by the incident.
Technical Insights
Although the full technical details surrounding how the hack transpired are still under investigation, preliminary assessments by developers suggest that the vulnerability lies within Bunni’s method of executing liquidity rebalancing. Bunni leverages a custom approach called the Liquidity Distribution Function (LDF), which diverges from the traditional logic used by Uniswap v4. This system was designed to optimize liquidity distribution across various price ranges to enhance returns for liquidity providers.
Victor Tran, co-founder of KyberNetwork, explained that the assailant was able to exploit the LDF functionality by making trades of calculated sizes, which triggered flawed rebalancing logic within the protocol. Tran elaborated on the strategy on X, stating,
“The exploiter figured out they could manipulate this LDF by making trades of very specific sizes. These carefully chosen amounts caused the rebalancing calculation to break, leading to incorrect allocation of LP shares.”
Conclusion
The attacker appeared to carry out this manipulation in several stages, gradually withdrawing the protocol’s assets without raising immediate alerts. This breach comes on the heels of a concerning trend in the crypto sector, as attacks and scams netted over $163 million in losses during August alone across 16 incidents—representing a 15% rise from the previous month, although still showing a 47% decrease compared to the previous year.
