Decentralized exchange Bunni has fallen victim to a security exploit that drained an estimated $2.3 million from its Ethereum-based smart contracts, according to on-chain analysis from blockchain security firm Blocksec.
The breach, reported on Tuesday, targeted vulnerabilities within Bunni’s protocol. While the exact method used by attackers has not yet been disclosed, blockchain records show that the stolen funds were funneled into the wallet address “0xe04…64f2b.” The address currently holds about $1.33 million in USDC and $1.04 million in USDT, both stablecoins.
ALERT! Our system detected a suspicious transaction targeting @bunni_xyz ’s contract on #Ethereum, and the loss is ~$2.3M. Please take actions ASAP.
— BlockSec Phalcon (@Phalcon_xyz) September 2, 2025
The incident prompted urgent warnings from within the project’s own community.
“If you have money on [Bunni] remove it ASAP,” wrote Bunni core contributor @Psaul26ix on social platform X.
Built on top of Uniswap V4, Bunni is designed to enhance returns for liquidity providers through adaptive pools and incentive tokens. Its growing adoption made the breach particularly concerning for decentralized finance (DeFi) users seeking optimized yield strategies.
In response, the Bunni team confirmed the attack in a statement posted at 3:04 a.m. on X:
“The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon.”
🚨 The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.
— Bunni (@bunni_xyz) September 2, 2025
The exploit adds to a string of DeFi security breaches in 2025, underscoring the persistent risks of vulnerabilities in smart contract systems despite rapid innovation in the sector.
