BunniXYZ Ethereum exchange suffers $2.3M breach

The BunniXYZ Ethereum exchange saw a series of unauthorized outflows. On-chain investigators identified the event as a hack, with losses of around $2.3M. BunniXYZ, an Ethereum decentralized exchange, has been exploited through one of its smart ￰1￱ hacker moved mostly stablecoins, for a total loss of $2.3M. #CertiKInsight 🚨 We have identified a $2.3M exploit on the @bunni_xyz BunniHub contract. ￰0￱ The exploiter has exfiltrated funds to ￰2￱ Vigilant! — CertiK Alert (@CertiKAlert) September 2, 2025 Based on the transaction history , the hacker attacked USDT and USDC vaults, then moved the tokens through the Ethereum ecosystem, ending up with a mix of ETH and ￰3￱ the first minutes, the BunniXYZ project recognized the attack against its app, closing all smart ￰4￱ after the hack, the exploiter continued to swap funds into ETH through other DeFi ￰5￱ the hour after the attack, the hacker did not yet move or mix the funds, except for the initial movements through DeFi ￰6￱ attack against BunniXYZ is part of the latest series of relatively minor hacks, stealing less than $10M.

Even the relatively small attacks often cost the reputation of protocols and destroy new DeFi ￰7￱ of the most recent smart contract exploits was against BetterBank, as Cryptopolitan ￰8￱ attacks raise suspicions of insider jobs, or malicious code injected into Web3 by DPRK ￰9￱ attacked at the peak BunniXYZ is a DEX using both Ethereum and ￰10￱ new market also uses the Uniswap V4 technology to create special vaults and markets with more complex trading ￰11￱ with other markets, BunniXYZ was attacked soon after reaching a local peak of value ￰12￱ the end of August, the exchange carried up to $60M in its ￰13￱ market was still relatively small, after launching in February and finding its place among new DeFi ￰14￱ was also one of the most successful months for the DEX, with over $1B in ￰15￱ exchange was specifically building liquidity for rehypothecation , while avoiding liquidations during market ￰16￱ DEX liquidity was also linked to Euler Protocol for passive ￰17￱ rode on the expanded volumes of Uniswap V4, as the protocol drew in over $393M to its vaults on Ethereum and $298M on ￰18￱ exploited BunniXYZ liquidity calculation Post-hack analysis showed BunniXYZ was vulnerable due to its specific liquidity recalculation ￰19￱ DEX is a liquidity hook, using the Uniswap V4 technology.

However, instead of using Uniswap’s liquidity calculation, BunniXYZ recalculates the Liquidity Distribution ￰20￱ exploiter discovered the Liquidity Distribution Function could break from trades of specific ￰21￱ meant the smart contract would pay out more tokens from the liquidity pool than owned in reality, ending up draining the ￰22￱ attacker had to repeat multiple transactions to finally accrue $2.3M, then swap them out for ￰23￱ then ended up depositing the ETH into Aave, holding $1.33M in AethUSDC and $1M in AethUSDT based on the wallet’s final ￰24￱ has undergone previous audits, but the LDF bug may have arrived with a later version of the ￰25￱ most probable cause is a precision bug, which required the hacker to perform multiple transactions to accrue a bigger balance based on the flawed ￰26￱ up to $30,050 in trading rewards when you join Bybit today