Cryptocurrency Trading Platform Bunni Shuts Down Following $8.4 Million Hack
Bunni, a decentralized exchange protocol, has officially announced its shutdown after falling victim to an $8.4 million exploit in late September. This marks the second significant setback for the cryptocurrency industry in October, following the Kadena Organization's decision to step back from their project amid ongoing challenges.
The Bunni Hack: A Comprehensive Analysis
On September 2, an attacker stole $8.4 million from the Bunni exchange by exploiting a rounding-direction bug in the smart contract's withdrawal logic. In a detailed post-mortem report, the platform explained that the hacker used a combination of flashloans, micro-withdrawals, and sandwich attacks to artificially reduce and inflate the pool's total liquidity.
- The vulnerability allowed the attacker to manipulate swaps and extract profits from manipulated trades.
- Two pools were affected: weETH/ETH on Unichain and USDC/USDT on Ethereum. However, the largest pool, Unichain USDC/USDâ‚®0, escaped exploitation due to insufficient flashloan liquidity.
The report stated that "This exploit was a horrible thing that's been hard on Bunni's users as well as our team." The team noted that they are passionate about building in DeFi and pushing the industry forward but were unable to recover from the significant loss. They spent years of their lives and millions of dollars to launch Bunni, which they believe is the future of AMMs and will process trillions of dollars in value.
Impact of the Hack on Bunni's TVL
According to DefiLlama data, after the hack, Bunni's Total Value Locked (TVL) declined from $50.82 million to just $1.3 million in a month, marking a drop of 97.44%. This significant loss led to multiple attempts to recover from the incident.
Attempts to Recover and Final Decision
The team proposed letting the attacker keep 10% of the stolen funds if the rest was returned but ultimately found it challenging to recover from the exploit successfully. They decided to wind down operations, citing the heavy strain caused by the hack. The team estimated that relaunching would require comprehensive audits and constant monitoring, with costs running hundreds of thousands to millions of dollars, which exceeded available capital.
The team concluded, "It'd also take months of development & BD effort just to get Bunni back to where it was before the exploit, which we cannot afford. Thus, we have decided it's best to shut down Bunni." Bunni notified its users that they can withdraw funds through the website and plans to distribute the remaining treasury assets to BUNNI, LIT, and veBUNNI holders.
Distribution of Remaining Assets
The team will release distribution details after legal procedures are completed. In cooperation with law enforcement, they aim to recover the stolen funds and ensure that their efforts do not go to waste. The Bunni v2 smart contracts have been relicensed from BUSL to MIT, allowing everyone to utilize their innovations such as LDFs, surge fees, and autonomous rebalancing.
Industry-Wide Concerns
Crypto platforms and exchanges face mounting threats with incidents like Bunni’s emphasizing the need for strong security. The industry lost $127.06 million in September, with 20 large-scale attacks recorded. Volatile market conditions have also forced platforms to leave the market as they struggle to recover from significant losses.
This incident highlights the vulnerability of DeFi projects and the importance of robust security measures.