The decentralized exchange is ceasing operations, citing the multimillion-dollar cost of a secure relaunch as an insurmountable barrier after a September hack.

The decentralized exchange (DEX) Bunni has announced its permanent shutdown, a direct consequence of an $8.4 million exploit that occurred last month. The development team stated that the capital required for a secure relaunch, including audit and monitoring expenses estimated in the six to seven-figure range, was beyond their means.

The decision was announced on Wednesday, with the team explaining that the financial and developmental effort to bring Bunni back to its pre-hack status was not feasible. “It’d also take months of development & BD effort just to get Bunni back to where it was before the exploit, which we cannot afford,” the team stated.

Anatomy of the Attack

The September hack drained approximately $8.4 million from two of the platform’s liquidity pools: weETH/ETH on Unichain and USDC/USDT on Ethereum. According to Bunni’s post-mortem report, the attacker exploited the platform’s Liquidity Density Function through a sophisticated combination of flash loans and a sandwich attack.

Flash loans allow for borrowing massive sums of capital without collateral, provided the loan is repaid within the same transaction block. The attacker used these funds to manipulate the spot price in the USDC/USDT pool before executing a large number of tiny withdrawals that capitalized on rounding errors in the protocol’s logic.

Kadan Stadelmann, Chief Technology Officer at Komodo Platform, commented on the incident, telling Decrypt, “This hack shows the industry in no uncertain terms that custom liquidity logic needs exhaustive testing, as flash loans introduce low-risk exploits.”

Shutdown and Next Steps

While operations are winding down, Bunni has assured users they can continue to withdraw their funds through the website. The team is also finalizing the legal process to distribute the remaining treasury assets to BUNNI, LIT, and veBUNNI token holders based on a snapshot, explicitly excluding its own members from the payout.

In an attempt to recover the stolen funds, Bunni sent an on-chain message to the attacker offering a 10% bounty for the return of the remaining 90%. The offer went unanswered. The team continues to work with law enforcement on the matter.

Despite the shutdown, Bunni’s technological contributions will live on. The team has relicensed its v2 smart contracts from BUSL to the more permissive MIT license. This move makes its innovations, such as Liquidity Density Functions and autonomous rebalancing, available for any project in the Decentralized Finance (DeFi) ecosystem to use.

The Bunni exploit adds to a troubling trend in 2025. According to blockchain analytics firm Elliptic, hackers have already stolen over $2 billion in digital assets this year, with North Korea-linked groups responsible for the majority of the losses in what is becoming a record-breaking year for crypto theft.