Bunni DEX Suffers $2.3M Hack, Exposes Key DeFi Security Vulnerabilities

Decentralized exchange Bunni has suffered a $2.3M exploit on the Ethereum blockchain, per blockchain security scanner Blocksec Phalcon. The exploit occurred on Tuesday and appears to have been caused by unauthorized access.

The attackers reportedly targeted Bunni’s Ethereum-based smart contracts, though the exact technique is yet to be disclosed.

ALERT! Our system detected a suspicious transaction targeting @bunni_xyz ’s contract on #Ethereum, and the loss is ~$2.3M. Please take actions ASAP.

— BlockSec Phalcon (@Phalcon_xyz) September 2, 2025

Per Etherscan, the perpetrators drained funds from the platform to the address 0xE04e… 64f2b, which held Aave Ethereum USDC and Aave Ethereum USDT tokens.

Bunni Protocol Pauses all Smart Contract Functions

Soon after the initial flagging of the exploit, Bunni protocol posted on X that its team is investigating the breach.

“The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks,” said Bunni. “Our team is actively investigating and will provide updates soon.”

🚨 The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.

— Bunni (@bunni_xyz) September 2, 2025

Bunni DEX allows users to trade crypto directly with each other, without the need for a central intermediary. The platform relies heavily on smart contracts in order to facilitate transactions.

Michael Bentley, Co-founder and CEO of Euler Labs, urged users to “remove funds from Bunni ASAP.” He added that Bunni rebalances funds in/out of Euler, assuring Euler is not affected or at risk.

Exploit Exposes Smart Contract Security Risks

Smart contracts, which work on blockchain networks, can be used for trading, managing financial transactions and more. Since they are digital, smart contract security becomes crucial.

Risks can come from various factors like code bugs, blockchain vulnerabilities, and programming language flaws, notes blockchain security auditor CertiK.

In 2023, smart contract vulnerabilities accounted for over $686 million in losses, said CertiK.

Experts from Apex, a DEX for derivatives trading, told Cryptonews that these vulnerabilities can be controlled by interacting “only with contracts audited by reputable firms.”

Further, limiting token approval permissions can prevent wallet-draining exploits, they added.