A new attack has hit the LP funds on Ethereum: the Bunni protocol, specialized in liquidity management, has temporarily paused the contracts after an anomalous withdrawal estimated between approximately 2.3 and 2.4 million dollars – as reported by The Block and in line with the risks analyzed in the OpenZeppelin Security Report. Initial analyses indicate that the exploit may have exploited a vulnerability in the liquidity distribution function, improperly altering the LP shares.
According to the data collected by our on-chain analysis team, updated as of September 2, 2025, the suspicious transactions show repeated patterns and fractional transfers to multiple addresses, consistent with an attack aimed at exploiting rebalancing. Our cross-checks on public explorers indicate calibrated withdrawals in USDC and USDT for approximately 1.33 million dollars and 1.04 million dollars respectively. Industry analysts note that vulnerabilities related to rebalancing logic and oracles are a recurring cause in recent DeFi incidents.
In brief: what we know so far about the Bunni DEX hack
- Who: Bunni, liquidity management protocol on Ethereum.
- What: Draining of funds from smart contracts and operational suspension as a preventive security measure.
- Dove: Ethereum network, with on-chain traceable movements.
- When: Event detected in the days leading up to September 2, 2025; investigations are still ongoing.
- How: Through the manipulation of liquidity rebalancing mechanisms, which led to miscalculations in the LP shares.
Timeline of Events
Essential Sequence
- Detection of unusual movements in pools with stablecoin, particularly USDC and USDT.
- Official communication from the team, confirmation of the incident, and suspension of contracts to contain the damage.
- Preliminary on-chain analysis: estimated losses between approximately 2.3 and 2.4 million dollars, with repeated withdrawals and modulated amounts.
- Initiation of technical checks on the liquidity distribution function and the rebalancing mechanism.
On-chain Details
- Affected assets: stablecoin USDC (approximately 1.33 million dollars) and USDT (approximately 1.04 million dollars), which together converge on the estimate of total losses.
- Pattern: a series of targeted trades with calibrated amounts to force an unfavorable rebalancing for LPs.
- Addresses and hashes: examined by various blockchain analysis companies, although direct references to explorers have not yet been publicly released.
Various media, including The Block and BitcoinEthereumNews, have reported these elements, highlighting repeated patterns of suspicious transfers in the hours leading up to the suspension of the contracts.
Mechanics of Vulnerability
How Liquidity Distribution Works
Bunni employs a liquidity distribution function that allows capital to be allocated in specific price ranges, optimizing LP returns through transaction-induced rebalancing. The goal is to limit fund inertia; however, this approach can open new attack surfaces if the rebalancing logic is not sufficiently robust.
Where the System Got Stuck
- Manipulation of the curve through targeted and repeated trading operations.
- Calculations of LP positions that, following rebalancing, resulted in incorrect shares.
- Gradual draining of funds, orchestrated to evade the activation of automatic defensive triggers.
In essence, a non-resilient rebalancing logic allowed attackers to extract value from the LPs without immediately triggering alert mechanisms. An interesting aspect is the modularity of the amounts, indicative of a fine-tuned strategy.
Impact and Numbers
- Estimated loss: approximately 2.3–2.4 million dollars.
- Tokens involved: USDC and USDT.
- Operational status: the contracts have been paused and the smart functions are currently suspended.
- Critical point: the counting of LP shares and the management of liquidity during rebalancing processes.
Official Reactions and Context
The Bunni team has announced the suspension of contracts as an immediate security measure, clarifying that a post-incident analysis is underway to identify and correct the vulnerability. At the moment, no direct quotes or official statements with verifiable timestamps have been provided; investigations are ongoing and the priority remains securing the contracts and the remaining liquidity.
Mitigation Measures
- Ongoing audits on rebalancing functions and LP accounting mechanisms, including tests in adversarial scenarios.
- Limitation of transaction size that can trigger sensitive rebalancing.
- Implementation of circuit breaker and real-time monitoring of slippage and abnormal variations in LP quotes.
- Use of timelock for critical changes and adoption of multisig operations for admin functions.
- Creation of emergency funds or insurance coverage to mitigate impacts on users.
These countermeasures are essential in DeFi risk management.
Operational Guide for Liquidity Protocols
- Execution of stress tests and simulations of economic attacks before official releases.
- Implementation of rate limiting on functions that affect the distribution curve.
- Active monitoring of alarm metrics such as slippage, changes in LP shares, and unexpected flows to wallets.
- Periodic update of incident response procedures and drills to validate their effectiveness.
- Use of reliable oracles and introduction of mathematical guardrails to prevent errors in calculations.
Next Steps for Users and Developers
- Users: Monitor official protocol updates and check on-chain logs for any changes in the affected pools.
- Developers: Complete the technical post-mortem, release temporary patches, and plan an independent audit focused on the liquidity management function and LP calculations.
What to Monitor
- Tx hash and addresses confirmed on explorer like Etherscan or Blockscout for complete traceability.
- Updates on the release of patches and the expected timeline for the reactivation of contracts.
- Forensic reports from blockchain analysis companies and public audit results.
- Any bounty programs or agreements for the return of misappropriated funds.
Conclusions
The attack on Bunni shows how innovations in liquidity distribution can introduce new attack surfaces when the rebalancing mechanism is not robust enough.
The combination of curve manipulation and errors in LP calculations made it possible to drain approximately 2.3–2.4 million dollars in stablecoins.
It must be said that the priority now is to complete a transparent post-incident analysis, correct the liquidity management logic, and introduce more rigorous defensive controls.
Numbers and addresses (summary)
- Estimated amount: approximately 2.3–2.4 million dollars.
- Token: USDC (approximately 1.33M) and USDT (approximately 1.04M).
- Status: contracts on hold, investigations ongoing.