The decentralized exchange Bunni has announced it will cease operations following an $8.4 million exploit and an inability to fund a secure relaunch.
Key Takeaways
- Bunni, a DEX built using the Uniswap V4 hooks architecture, suffered a loss of approximately $8.4 million after attackers exploited its custom liquidity functions.
- The team said that relaunching would require six to seven figures just for auditing and monitoring, plus months of redevelopment costs it could not meet.
- Remaining treasury assets will be distributed to token holders of BUNNI, LIT and veBUNNI after legal steps. Team members will be excluded.
- As a final move, Bunni relicensed its V2 smart contracts under the MIT license, making its innovations open source to other developers.
- The incident underscores the growing security risks in DeFi protocols, especially those using advanced custom logic beyond standard DEX architecture.
What Happened?
The protocol known as Bunni, built on the Uniswap V4 framework, announced that it is formally winding down operations after a major security incident. According to the project team, an exploit earlier this month drained roughly $8.4 million in assets. The team stated that just to restart with all the needed audits, monitoring systems and redevelopment would cost six to seven figures, and the time required would stretch over months. Unable to justify the capital and the delay, the project decided to shut down.
Hello everyone, it is with saddened hearts that we announce the shutdown of Bunni.
— Bunni (@bunni_xyz) October 23, 2025
The recent exploit has forced Bunni’s growth to a halt, and in order to securely relaunch we’d need to pay 6-7 figures in audit & monitoring expenses alone – requiring capital that we simply don’t…
Users are still reportedly able to withdraw funds from the platform until further notice. The project also said it will distribute remaining treasury assets to holders of tokens BUNNI, LIT and veBUNNI after completing legal processes, though team members will not be eligible for the distribution.
How the Exploit Unfolded?
Security firms analyzing the incident describe the attack as highly sophisticated. The exploit targeted Bunni’s Liquidity Distribution Function (LDF), a custom mechanism that the protocol used to optimize liquidity across price ranges.
In essence:
- The attacker used flash loans to borrow large amounts of assets, manipulated the pool tick price, and triggered rounding errors in withdrawal functions.
- On Ethereum and UniChain, the attacker executed repeated trades of specific sizes, confusing Bunni’s rebalancing logic and enabling a disproportionate asset extraction.
- The withdrawal logic was supposed to round down an idle balance but instead increased it, which the attacker exploited.
The result: billions in liquidity shrank rapidly, with Bunni’s total value locked dropping from tens of millions to near zero.
Why the Team Gave Up?
In its public statement, Bunni explained that resuming operations would demand huge investment in time and security. The numbers quoted suggest that audit and monitoring alone would cost six to seven figures.
Beyond that, restoring business development, marketing, partnerships, user confidence and infrastructure would take months. The team said that given these combined burdens, continuing was not viable. The statement read: “The recent exploit incident has forced the development of Bunni to come to a standstill. To safely restart … would require six to seven figures … and months of development … which is also something we cannot bear.”
Additionally, the project decided to relicense its V2 code under the MIT license (previously Business Source License), allowing other developers to use its features such as surge fees, autonomous rebalancing and liquidity hooks.
Impact on Users and Token Holders
Users of Bunni still can withdraw assets from the website, according to the protocol. The project said that once legal validation is complete, remaining treasury assets will be distributed through a snapshot to holders of BUNNI, LIT and veBUNNI tokens. Team members will be excluded from this distribution.
For token holders this means: recovery is possible, but amounts and timing remain uncertain pending legal process. For liquidity providers the timeline to recoup losses could be long.
Wider Implications for DeFi and Uniswap V4 Ecosystem
This incident raises larger questions about innovation in DeFi. While features like hooks, custom liquidity distribution and rebalancing promise higher yields, they also introduce complex logic and novel attack surfaces. Security firms say the Bunni exploit is a case in point: even code that underwent audits by firms like Trail of Bits and Cyfrin failed to catch a logic-level flaw.
For the broader ecosystem of Uniswap V4-based protocols, the attack might prompt more caution. While early adopters may chase innovation and yield, they also face elevated risk. Observers expect this event to slow aggressive deployment of new hooks or push projects to invest more heavily in formal verification, bug bounties and real-world testing.
CoinLaw’s Takeaway
In my experience watching the DeFi space evolve, the Bunni case is yet another reminder that high reward often comes with high risk. The team built something ambitious, a DEX leveraging Uniswap V4’s hooks to deliver advanced liquidity features. But custom logic is harder to secure, harder to audit and harder to recover when it fails. By choosing to shut down rather than relaunch, the team has acknowledged that rebuilding credibility and capital wasn’t feasible in the current climate. If you are participating in or advising on DeFi protocols, this story reinforces the need to factor in exit plans, security reserves and realistic budgets for risk events. That insight may save projects and users major pain in future.
