- Trending
- Comments
- Latest
The BunniXYZ Ethereum exchange attack has rocked the DeFi sector, with hackers exploiting a smart contract vulnerability to drain $2.3 million in USDT and USDC.
The exploit, which quickly routed stolen funds into ETH via other decentralized protocols, has reignited debate over security flaws in emerging exchanges and raised fresh concerns about investor trust in the fast-moving DeFi landscape.
On-chain investigators quickly flagged suspicious outflows from the Ethereum-based decentralized exchange.
Within minutes, BunniXYZ developers acknowledged the breach and halted its smart contracts to prevent further losses.
Blockchain security analyst PeckShield confirmed the incident, noting that “attackers exploited a liquidity recalculation flaw unique to BunniXYZ’s design, enabling them to drain stablecoins beyond their actual pool balance.”
The BunniXYZ Ethereum exchange attack demonstrates how subtle code-level weaknesses can be weaponized, even in projects leveraging robust frameworks like Uniswap V4.
After draining $2.3M, the hacker swiftly swapped stolen funds for ETH before depositing them into lending protocol Aave.
Wallet analysis shows holdings of $1.33M in AethUSDC and $1M in AethUSDT remain under the exploiter’s control.
While the funds have not yet been laundered through mixing services, experts warn that such exploits often evolve into longer laundering cycles, making eventual recovery nearly impossible.
The attack occurred just as BunniXYZ was gaining traction. Launched in February, the exchange had reached $60M in total value locked (TVL) and $1B in monthly trading volume by late August.
Riding the momentum of Uniswap V4, BunniXYZ aimed to carve out a niche with advanced liquidity vaults and rehypothecation strategies.
But the BunniXYZ Ethereum exchange attack dealt a severe blow to its credibility. DeFi researcher Igor Igamberdievcommented:
“Even so-called minor hacks can erode trust overnight. Investors are unforgiving when funds are lost, no matter the size of the exploit.”
Post-mortem analysis revealed the exploit stemmed from BunniXYZ’s Liquidity Distribution Function (LDF).
Unlike Uniswap V4, BunniXYZ recalculated liquidity distribution independently. The flaw allowed attackers to trigger payouts exceeding the pool’s actual reserves through specific trade sizes.
The hacker repeatedly triggered this weakness, gradually draining funds until reaching the $2.3M haul.
The BunniXYZ Ethereum exchange attack is part of a worrying trend. While not as large as the $197M Euler hack or the $100M Harmony Bridge exploit, even sub-$10M attacks can devastate smaller platforms.
Recent cases, such as the BetterBank exploit, suggest attackers are increasingly targeting emerging protocols with unique mechanics — testing boundaries for novel vulnerabilities.
Some experts speculate that state-sponsored actors, including North Korean-linked Lazarus Group, may be probing DeFi ecosystems with such smaller attacks.
The BunniXYZ Ethereum exchange attack sparked debates across the crypto community. Industry voices stressed the need for rigorous smart contract audits and formal verification of liquidity mechanisms.
“DeFi innovation often comes at the cost of security,” noted Hugh Brooks, Director of Security at CertiK. “Every new hook, vault, or liquidity calculation must be tested against edge cases. Otherwise, we’ll keep seeing these attacks.”
BunniXYZ has yet to release a detailed recovery plan but has promised transparency in investigating the attack. Whether users will be compensated remains uncertain.
Historically, most protocols in similar situations have struggled to restore confidence without significant external support.
The BunniXYZ Ethereum exchange attack may serve as a sobering reminder: while innovation in DeFi brings powerful tools, security remains its Achilles’ heel.
Until these vulnerabilities are systematically addressed, investors face the ever-present risk of waking up to news that another platform has been drained overnight.
Copyright © 2025 - The Bit Gazette.
