Bunni Exchange Shuts Down After $8.4M Hack: What About User Fund?

Why Bunni Exchange Closes Permanently? How Users Can Withdraw Funds?

Bunni Exchange has announced a permanent shutdown following an $8.4 million flash loan hack, citing high recovery costs and the inability to relaunch the platform securely.

What Happened? 

Bunni, a decentralized exchange (DEX), has decided to close its operations permanently after suffering a massive $8.4 million exploit last month. 

The attack targeted two pools on the platform: 

• WeETH/ETH on Unichain 

• USDC/USDT on Ethereum. 

According to the exchange, the hacker used a combination of flash loans, multiple small withdrawals, and a sandwich attack to drain funds. 

Source: Decryp Media X

Flash loans allow borrowing large amounts without collateral within a single transaction, while sandwich attacks manipulate prices around trades to generate profit. 

The stolen funds were subsequently moved across multiple chains, likely to conceal their origin. This incident highlights the vulnerabilities in custom liquidity logic within decentralized finance.

Reasons for Shutdown 

The Exchange founders explained that the platform cannot afford to relaunch securely due to high costs and extended recovery timelines. Relaunching would require six to seven figures for audits, monitoring, and other security measures. 

Additionally, restoring the platform to its previous state would take months of development and business effort, which the team does not have the resources to handle. The team concluded that the safest and most practical decision was to shut down Bunni permanently rather than risk another exploit. 

Source: X

Despite the setback, the DEX hopes that its technological innovations, including Liquidity Density Functions (LDFs), surge fees, and autonomous rebalancing, will continue benefiting the broader DeFi ecosystem through the newly relicensed open-source contracts.

Bunni Exchange Hack Details

• The post-mortem report revealed that the hacker first flash-borrowed 3 million USDT and executed multiple swaps from USDT to USDC, causing the pool price to spike. 

• The attack exploited weaknesses in Bunni’s custom liquidity logic, using tiny repeated withdrawals and sandwich attacks to profit from price manipulation. 

• Flash loans, though innovative in DeFi, enable attackers to borrow vast sums without collateral, increasing risk if protocols are not exhaustively tested. 

• The incident emphasizes the importance of robust security in decentralized finance platforms and careful testing of custom functions before launch.

Hack Recovery Steps

the DEX is actively collaborating with law enforcement to recover the stolen funds. The team even offered the hacker 10% of the stolen assets if returned, but this proposal received no response. 

Meanwhile, the exchange aims to provide updates on the legal process and ensure transparency in addressing the exploit. Their efforts highlight the importance of accountability and cooperation in the DeFi space, even after significant financial losses.

What Will Happen to User Assets

Users can continue withdrawing their funds from Bunni’s website until further notice. The platform plans to distribute remaining treasury assets to BUNNI, LIT, and veBUNNI holders based on a snapshot, excluding the team members. 

The exact details of the distribution are pending legal validation, and updates will be shared once the process is finalized. Bunni assures its users that while the platform is shutting down, remaining assets will be handled fairly and transparently.

Conclusion

This shutdown underscores the risks in DeFi, especially with custom liquidity protocols and flash loans. The team hopes their open-source innovations will continue benefiting the decentralized finance ecosystem.