Decentralized Exchange BunniXYZ Loses $8.4M in Liquidity Exploit

Decentralized exchange (DEX) BunniXYZ has reportedly lost $8.4 million to a liquidity-based security exploit.

According to on-chain security firm Hacken, $6 million of the DEX's funds was stolen via the Unichain blockchain and $2.4 million via Ethereum. All Unichain funds were then bridged to Ethereum using the Across Protocol.

Confirming the attack in a tweet, BunniXYZ said that it had paused all smart contract activity on its network and was “actively investigating” the circumstances of the attack. It added that it would provide updates soon.

Founded in February 2025, BunniXYZ is based on automated market maker Uniswap v4, and primarily uses the Ethereum and Unichain blockchains. It currently has a cross-chain Total Value Locked (TVL) of just over $50 million according to DeFiLlama, though it exceeded $80 million at one point earlier this August.

Michael Bentley, co-founder of lending protocol Euler, advised users to remove their funds from Bunni in a tweet, adding that while the DEX rebalances funds in and out of Euler, the lending protocol is "not affected or at risk." Euler endured a major exploit of its own in 2023 that saw hackers steal nearly $200 million, the bulk of which was later recovered.

What happened?

According to on-chain analyst Victor Tran, co-founder of Kyber Network, hackers manipulated Bunni’s “liquidity curve,” also known as its LDF (Liquidity Density Function). This is the system that calculates how much extra liquidity exists within the exchange and rebalances its liquidity pool to keep the right ratio of tokens.

Tran said hackers manipulated this LDF “by making trades of very specific sizes.” This caused the rebalancing calculation to break, producing incorrect results for how much each liquidity pool share should own.

By repeating this process, hackers allegedly withdrew more tokens than they should have been able to from Bunni.

Bunni itself has not yet confirmed the mechanism behind the attack.