On September 2, 2025, the Bunni V2 protocol suffered a devastating exploit, leading to losses of $2.4M on Ethereum and $5.9M on UniChain. The root cause was traced to a precision bug in BunniHook’s liquidity accounting, which allowed an attacker to systematically withdraw more tokens than intended by manipulating trade sizes.
How Bunni V2 Works?
Bunni functions as a liquidity hook built on top of Uniswap V4, but instead of relying on Uniswap’s default mechanics, it introduced its own Liquidity Distribution Function (LDF). The LDF is meant to rebalance pools after every trade to maintain correct token ratios.
However, this added layer of complexity opened the door to vulnerabilities.
(👉 Learn more about Uniswap V4 and how new liquidity mechanisms can affect security.)
The Exploit in Action
The attacker identified that precision errors in LDF calculations could be amplified by executing carefully sized swaps.
On Ethereum, they used a 3M USDT flash loan and performed exact-input swaps on the USDC/USDT pool. Each swap triggered the LDF logic, which miscalculated balance deltas. Over time, these miscalculations accumulated as unearned credits.
The attacker then withdrew inflated balances, repaid the flash loan, and funneled stolen funds into Aave for synthetic assets.
The same strategy was later repeated on UniChain, where a 2000 WETH flash loan enabled the attacker to siphon off 1366 WETH, later bridged to Ethereum.
For a deeper dive into how liquidity adjustments and swap sizing can be exploited, check out our research on liquidity mechanics in Uniswap V4 core and swap mechanics.
Root Cause
The incident stemmed from a rounding and precision bug in the LDF during swap rebalancing. Instead of offsetting errors, they accumulated as positive balances for the attacker. By strategically repeating trades that crossed rebalancing thresholds, the attacker magnified these discrepancies and drained liquidity.
Want the Full Breakdown?
This summary only scratches the surface. If you’d like the complete technical analysis with transaction details, attacker addresses and funds flow,
we’ve published the full report here: 👉 Bunni V2 Exploit: Full Hack Analysis
Aftermath & Response
The Bunni team acted quickly by halting withdrawals across all chains and even offered a 10% bounty to encourage the attacker to return funds. Still, around $2.2M remains in the attacker’s wallet, with stolen ETH already bridged back to Ethereum.
Key Takeaway
The Bunni V2 exploit is a stark reminder that even minor logic errors in custom-built hooks on top of Uniswap V4 can escalate into multi-million-dollar losses. Protocols experimenting with new liquidity models must invest in rigorous audits and testing to identify precision, accounting, and swap-handling risks before deployment.
Top comments (0)