Skip to main content
Sign in

Bunni Protocol

avoid.net/bunni-protocol28/100·82% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·2UNup3…YjZ8

Summary

Bunni Protocol is a Uniswap liquidity-incentive layer developed by Timeless Finance that evolved from a Uniswap v3 LP-token wrapper (v1) to a full DEX built on Uniswap v4 hooks (v2). On September 2, 2025, Bunni v2 suffered an $8.4 million flash-loan exploit caused by a rounding-direction vulnerability in its withdrawal mechanism — a class of issue that multiple auditors had flagged in advance. The team announced permanent shutdown in October 2025, citing the inability to fund the six-to-seven-figure re-audit required for a secure relaunch.

Connected Entities

1 entities · 10 linked investigations
Protocols
Bunni Protocol
Relationships
    Also appears in
    Gamma Strategies·28BitGrail·2Lulo·68Thorchain DEX·14Crossmint·78Access Protocol·47Orca·85KuCoin Exchange Hack·32Zircon Gamma·32CryptoZoo·8
    Have evidence about Bunni Protocol?

    Timeline(10 events)

    2022-01-01

    Bunni v1 launches on Ethereum, wrapping Uniswap v3 LP NFTs into fungible ERC-20 tokens and introducing the LIT/veLIT gauge-and-bribe system.

    Bunni Docs

    2024-08-01

    Pashov Audit Group completes a Bunni v2 security review, identifying 45 issues including 6 critical findings.

    Pashov Audits GitHub

    2025-01-01

    Trail of Bits audit flags rounding and arithmetic concerns (TOB-BUNNI-13) and excess-liquidity manipulation (TOB-BUNNI-9), recommending improved rounding logic and fuzz-testing coverage.

    Rekt News — Bunni Rekt

    2025-02-01

    Bunni v2 launches on Ethereum Mainnet, Base, and Arbitrum as the first DEX built on Uniswap v4 hooks.

    Bunni X announcement

    2025-06-01

    Cyfrin audit identifies 50+ issues and warns that 'complex bugs still present' are statistically likely, advising against further scaling without additional security work. TVL surges from $2.4M to $23.9M immediately after publication.

    CryptoNews

    2025-08-19

    Bunni v2 TVL reaches a reported peak near $80 million.

    BeInCrypto

    2025-09-02

    Flash-loan exploit drains $8.4M from Bunni v2 USDC/USDT pool (Ethereum, $2.4M) and weETH/ETH pool (Unichain, $5.9M) via a rounding-direction vulnerability in BunniHubLogic::withdraw(). Attacker wallets were funded through Tornado Cash.

    QuillAudits

    2025-09-02

    Bunni team pauses all smart-contract functions within two hours of initial exploit alerts and assembles a security war room. An on-chain message offers the attacker a 10% white-hat bounty; it goes unanswered.

    Halborn

    2025-10-10

    Bunni team announces permanent shutdown on X, citing inability to fund a six-to-seven-figure secure relaunch. TVL has declined from $50.8M to $1.3M since the exploit.

    CoinDesk

    2025-10-23

    CoinDesk reports on the Bunni shutdown. The team confirms remaining treasury will be distributed to token holders (excluding team), v2 contracts relicensed to MIT, and cooperation with law enforcement is ongoing.

    CoinDesk
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/1/2026, 5:47:15 PM

    last updated: 6/1/2026, 5:47:20 PM

    avoid.net — verified advice for a post-truth world