Bunni, a decentralized exchange operating on Unichain and several other blockchains, has announced its shutdown following a devastating exploit that drained $8.4 million in user funds.
The attack occurred early on September 2, targeting the DEX’s smart contracts on both the Ethereum and Unichain networks. Blockchain security firm Hacken first reported the incident, revealing that hackers siphoned off assets including ETH, USDC, and USDT.
The stolen funds were later converted into ETH and moved via the Across Protocol cross-chain bridge in batches of around 100 ETH each.
According to DeFiLlama, Bunni had a total value locked (TVL) of roughly $50.6 million across networks, including Ethereum, Unichain, Arbitrum, Base, and BNB Smart Chain, with Unichain and Ethereum representing the largest shares.
Following the attack, Bunni paused all smart contracts “on all networks” to prevent further losses. In a follow-up post on X, the team said it lacks the financial resources to relaunch the platform securely.
“The recent exploit has forced Bunni’s growth to a halt, and in order to securely relaunch, we’d need to pay six to seven figures in audit and monitoring expenses, capital we simply don’t have,” the team wrote.
Bunni’s post-mortem report identified a rounding error in its smart contract withdrawal function as the cause of the breach. The attackers have already laundered the stolen funds through Tornado Cash, though Bunni says it is cooperating with law enforcement and has offered a 10% bounty for their return.
While the exchange winds down, users will still be able to withdraw their remaining assets from the platform. The team plans to distribute remaining treasury holdings to BUNNI, LIT, and veBUNNI token holders based on a forthcoming snapshot.
Bunni has also relicensed its V2 smart contracts under the MIT license, allowing other developers to build upon its liquidity innovations.