$8.4 Million Exploit Forces Bunni DEX to Cease Operations

Bunni, a decentralized exchange (DEX) built on Uniswap v4, has officially shut down after suffering an $8.4 million exploit that crippled its operations and drained its liquidity pools. The decision marks one of the most significant DeFi exits of 2025, underlining how security lapses continue to challenge the decentralized finance space.

The exploit that ended Bunni

In September, Bunni was hit by an on-chain exploit that allowed an attacker to siphon roughly $8.4 million in user funds across multiple networks. The exploit reportedly targeted the platform’s liquidity distribution contracts, manipulating how funds were calculated and withdrawn.

Following the breach, Bunni immediately paused all operations to assess the damage and prevent further loss. A post-mortem revealed that the attack exploited a vulnerability in the protocol’s smart contract logic, which had not been detected during prior audits.

Despite an open bounty offered to the attacker for the return of funds, no significant recovery has been reported.

Why the project chose to shut down

After weeks of internal review, the Bunni team concluded that restarting the protocol was financially impossible. A secure relaunch would require new smart contract audits, compensation funds for affected users, and extensive monitoring systems, costs estimated to run into six to seven figures.

In a statement shared on X (formerly Twitter), the team said:

“We don’t have the financial capacity to relaunch Bunni in a secure way. Rather than attempt a rushed rebuild, we’ve decided to sunset the project responsibly and open-source what we can for the community.”

This announcement effectively ends active development on the Bunni protocol.

Withdrawal window remains open

While Bunni is shutting down, the team confirmed that withdrawals remain open for users who still have assets locked in the protocol. A snapshot will be taken to determine token holder balances, and any remaining treasury funds will be distributed accordingly.

Importantly, team members have been excluded from receiving any portion of the treasury distribution, a move the project says was made “in fairness to the community.”

Bunni also stated that it is working with law enforcement and blockchain forensics experts to trace the stolen funds and pursue potential recovery options.

Open-sourcing Bunni’s codebase

As part of its exit plan, Bunni has relicensed its v2 smart contracts from the restrictive Business Source License to the more open MIT license. This means other developers are now free to use, adapt, or build on Bunni’s code without permission or fees.

This relicensing ensures that, while the project itself has ended, its underlying technology, particularly its Liquidity Distribution Function (LDF) and surge-fee logic, can live on in other decentralized exchanges or liquidity platforms.

“Our code is now fully open for anyone to build upon. We hope the community can learn from what we created, and from our mistakes,” the team added.

What this means for users and DeFi developers

For users, the next steps are clear:

• Withdraw any remaining funds from the Bunni protocol as soon as possible.

• Monitor Bunni’s official channels for updates on the final treasury distribution and the ongoing recovery efforts.

For developers, Bunni’s open-sourced contracts provide a valuable case study. While its design introduced innovative liquidity management concepts, it also serves as a reminder that even small oversights in smart contract design can have devastating consequences.

Bunni’s shutdown follows a pattern of DeFi platforms struggling to recover from exploits due to limited capital, insurance, or regulatory backing. As protocols compete to innovate, security has often lagged behind creativity, an imbalance that continues to define much of the decentralized finance landscape.