BunniXYZ Users Urged to Withdraw Funds Following $8.4M Exploit
BunniXYZ – Decentralized exchange (DEX) BunniXYZ reportedly lost $8.4 million in a liquidity-based security exploit, affecting both Unichain and Ethereum networks. On-chain security firm Hacken confirmed that $6 million of the stolen funds originated on Unichain, while $2.4 million came from Ethereum. The Unichain funds were subsequently bridged to Ethereum via the Across Protocol.
BunniXYZ confirmed the attack on Twitter, stating it had paused all smart contract activity on its network and was “actively investigating” the situation. The team assured users that updates would follow shortly.
Cross-Chain Exposure and Total Value Locked
Founded in February 2025, BunniXYZ is based on the Uniswap v4 automated market maker and primarily operates on Ethereum and Unichain. According to DeFiLlama, the DEX currently has a cross-chain Total Value Locked (TVL) of just over $50 million, down from a peak of $80 million earlier in August.
Michael Bentley, co-founder of lending protocol Euler, advised users to withdraw their funds from Bunni as a precaution. He clarified that Euler itself is not affected or at risk, despite Bunni rebalancing funds in and out of the protocol.
How Hackers Exploited the Liquidity Curve
On-chain analyst Victor Tran, co-founder of Kyber Network, explained that hackers exploited Bunni’s Liquidity Density Function (LDF)—the system responsible for calculating and rebalancing extra liquidity within the exchange. Hackers allegedly executed trades of very specific sizes, breaking the rebalancing calculations and allowing them to withdraw more tokens than they should have been able to.
BunniXYZ has not yet officially confirmed the technical details behind the exploit, leaving the full mechanism under investigation.
As the team works to restore security, this incident highlights the risks of liquidity manipulation in emerging DEX platforms and the need for robust smart contract safeguards across cross-chain environments.
