Decentralized exchange BunniXYZ has been hit by a liquidity-based security exploit that drained $8.4 million, the project and on-chain analysts reported.
On-chain security firm Hacken says the attack pulled $6 million through the Unichain network and another $2.4 million from Ethereum. The Unichain proceeds were then bridged to Ethereum using the Across Protocol. In response, BunniXYZ paused all smart contract functions and said its team is “actively investigating.”
The vulnerability reportedly targeted Bunni’s custom liquidity math — its Liquidity Distribution Function (LDF), often described as a liquidity curve layered on top of Uniswap v4. According to on-chain analyst Victor Tran, attackers executed a series of trades of specific sizes to manipulate the LDF. That manipulation made Bunni’s rebalancing calculations return incorrect ownership amounts for liquidity shares, letting attackers withdraw more tokens than they were entitled to.
BunniXYZ, launched in February 2025, runs on Uniswap v4 and primarily uses Ethereum and Unichain. Its cross-chain TVL sits just above $50 million today, down from a peak above $80 million earlier in August.
Industry voices urged caution: Michael Bentley (Euler) advised users to remove funds while the DEX investigates and noted Euler itself is not at risk. This incident underscores how custom liquidity logic can introduce novel attack vectors even when underlying protocols are battle-tested.
Why it matters: protocol-level math and custom hooks can create subtle failure modes. Users should withdraw exposed funds where possible and follow official communications. Expect forensic on-chain traces and potential recovery or legal follow-ups.
Source: Decrypt. Read the original coverage for full details.