Bunni DEX shuts down after failing to recover from $8M exploit

Bunni DEX has announced its shutdown after the project failed to recover from a multi-million dollar exploit that exposed critical flaws in its liquidity logic.

“The recent exploit has forced Bunni’s growth to a halt,” the project’s team said in an Oct. 23 X post, adding that to restart operations, it needs “6-7 figures in audit & monitoring expenses alone,” which the project is currently unable to secure.

The team confirmed that all development efforts and future roadmap items have been suspended indefinitely.

As part of its sunset plans, Bunni will initiate a phased wind-down of its infrastructure, which includes deactivating all front-end interfaces, support channels. 

Subsequently, the project will release documentation to help remaining liquidity providers withdraw their funds where possible.

The team said that while smart contracts will remain on-chain, users should proceed cautiously, as there will be no further updates, bug fixes, or active monitoring. 

A final community call will also be hosted next week to address outstanding questions and provide clarity on next steps.

For now, users will be able to withdraw their assets via the official website until further notice. 

At the same time, the remaining treasury assets will be distributed to BUNNI, LIT, and veBUNNI holders after legal validation.

The team clarified that no member of the core team will receive any funds.

Meanwhile, the project team will continue to collaborate with law enforcement agencies and blockchain security firms in relation to the September exploit. 

Efforts are underway to trace the stolen funds and assist in any ongoing investigations, though the team acknowledged that recovery remains uncertain given the sophisticated nature of the attack.

Although Bunni is shutting down, the team has opted to release the entire codebase under the MIT license, allowing open access to the protocol’s architecture, tooling, and liquidity framework.

Open-sourcing this means anyone can study, fork, or build upon Bunni’s code without restrictions.

“We have pushed the AMM space forward by a generation, and it would be a shame if our efforts went to waste,” the team said.

 Bunni Dex suffered a multi-million dollar exploit

The decision comes just weeks after Bunni suffered a devastating exploit that siphoned nearly $8.4 million from its liquidity pools.

Although the team was quick to suspend all protocol functions across supported networks, the damage had already been done.

 Preliminary investigations pointed to a vulnerability in the platform’s Liquidity Distribution Function, a mechanism unique to Bunni that was designed to optimise returns by spreading liquidity across targeted price ranges.

Unlike standard DEX models, Bunni’s system could be manipulated with trades of carefully calculated sizes.

According to early assessments shared by developers and researchers in the community, the attacker repeatedly exploited the function by tricking the rebalancing logic into mispricing how much liquidity providers were entitled to.

As such, the attacker was able to drain funds slowly over multiple rounds without triggering any security alarms.

Second major DeFi shutdown this week

The collapse of Bunni DEX marks the second high-profile shutdown in recent days, coming closely on the heels of Kadena’s unexpected exit from the blockchain space. 

Once promoted as an enterprise-grade Layer-1 solution, Kadena officially ceased all business activity earlier this week, citing prolonged market pressures and dwindling ecosystem engagement. 

Founded by former JPMorgan and SEC executives, the project struggled to maintain momentum despite years of development and millions invested into its proof-of-work infrastructure.

Kadena’s token, KDA, plummeted nearly 60 percent after the shutdown announcement, with over 99 percent of its value wiped out from its 2021 peak. 

Although the protocol remains technically operational due to its decentralised mining structure, the organisation behind it has been fully disbanded, with only a skeleton crew left to oversee a limited transition.

The post Bunni DEX shuts down after failing to recover from $8M exploit appeared first on Invezz