Bunni Vulnerability May Have Enabled $2.4M Stablecoin Drain, Including $1.33M in USDC

• Exploit type: LDF rebalancing manipulation on Uniswap v4-based contracts

• Funds lost: ~ $1.33M USDC and $1.04M USDT, total ≈ $2.4M.

• Response: All Bunni smart contract functions paused; withdraw funds and monitor official COINOTAG updates.

Bunni exploit: $2.4M drained in stablecoins after LDF rebalancing bug. Bunni paused contracts; withdraw funds now. Read analysis, expert commentary and next steps.

What is the Bunni exploit?

The Bunni exploit is an onchain attack that manipulated Bunni’s custom Liquidity Distribution Function (LDF) rebalancing logic, allowing an attacker to force incorrect liquidity-provider (LP) share calculations and drain roughly $2.4 million in stablecoins from Ethereum-based contracts.

How did the attacker manipulate the LDF and rebalancing logic?

Early technical analysis shows the attacker executed trades of specific sizes that triggered faulty LDF rebalancing calculations. The custom LDF, built on Uniswap v4 primitives, computed LP entitlements incorrectly when fed edge-case trade sizes, allowing gradual extraction without immediate alarms.

The attacker repeated the exploit multiple times, moving funds to a single address holding ~ $1.33M USDC and ~ $1.04M USDT. Security researchers and developers, including commentary from Victor Tran (co‑founder, KyberNetwork), identified the manipulation pattern onchain.

When did Bunni detect and respond to the exploit?

Bunni’s team confirmed the security exploit on X and paused all smart contract functions across networks as a precaution. The pause aims to prevent further unauthorized withdrawals while an internal investigation and post‑mortem proceed.

What funds were affected and how large was the loss?

Onchain analysis shows the exploit drained approximately $2.37 million in stablecoins: ~ $1.33M in USDC and ~ $1.04M in USDT. These figures are aggregated from blockchain trace data and public security firm reports available onchain and via community posts.

Security monitoring firms noted the attack fits a growing pattern of protocol-level logic manipulation rather than simple private key compromise.

How should affected users respond now?

If you have funds on Bunni, withdraw immediately to a secure wallet under your control. Paused contracts prevent normal operations; withdrawing (where available) reduces exposure while the team investigates.

Recommended steps:

1. Withdraw funds to a self-custodial wallet you control.
2. Revoke any unnecessary token approvals using a trusted wallet interface.
3. Monitor the affected contract addresses and follow official COINOTAG updates.
4. Do not interact with unverified recovery tools or services; prefer official team guidance.

Why does this exploit matter for DeFi security?

This incident highlights risks in custom protocol logic: replacing widely audited primitives (Uniswap defaults) with bespoke mechanisms like the LDF can introduce edge-case vulnerabilities. The incident underscores the need for thorough formal verification and multi-party audits for novel liquidity algorithms.

What broader trends do security firms report?

August saw crypto thefts exceed $163 million across multiple incidents, a rise versus July. Firms such as PeckShield reported attackers shifting tactics toward higher-value targets and protocol logic exploits, increasing the importance of robust smart contract design and incident response planning.

Frequently Asked Questions

How long will Bunni contracts remain paused?

Pause duration depends on the investigation timeline. Bunni’s team paused contracts immediately; they will provide updates as root-cause analysis and potential fixes progress. Monitor COINOTAG and official Bunni announcements.

Can drained funds be recovered?

Fund recovery depends on attacker behavior and possible legal or onchain remedies. Recovery is uncertain; protocols sometimes coordinate with exchanges and security firms, but outcomes vary by case.

Key Takeaways

• Exploit mechanics: LDF rebalancing logic on Uniswap v4-based contracts was manipulated.
• Immediate impact: ≈ $2.37M in USDC and USDT drained; contracts paused.
• User action: Withdraw funds, revoke approvals, monitor official COINOTAG updates, and follow security guidance.

Conclusion

This Bunni exploit demonstrates the risks of bespoke liquidity logic in decentralized exchanges. Bunni exploit victims should act quickly to withdraw and secure funds while teams complete a post‑mortem. Expect further technical details and remediation steps from the Bunni team and security researchers in the coming days.

Published: 2025-09-02 · Updated: 2025-09-02 · Author: COINOTAG