Audit log

Every state-changing event for Bunni Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-01 17:47:20Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,640,159

   sig

   2UNup3nLvtG3…3SeTYjZ8copyexplorer ↗

   hash

   8CdRtwmxrDge…v2yfYAwtcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (18933 B) ▸

   {"actor":"system:backfill","investigation_id":"02b3a7ef-82a4-4774-be3b-e9477ae03a55","kind":"publish","page_slug":"bunni-protocol","published_at":"2026-06-01T17:47:20.194Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Bunni Protocol","sections":[{"content":"Bunni was created by Timeless Finance, a DeFi development group led pseudonymously by Zefram Lou (GitHub: ZeframLou, handle: boredGenius / zefram.eth). Bunni v1, launched in 2022, wrapped Uniswap v3 NFT positions into fungible ERC-20 LP tokens, enabling them to plug into existing Curve-style gauge and bribe infrastructure. The protocol introduced LIT (Liquidity Incentive Token) and veLIT — a vote-escrowed governance token that directed emissions to gauges — mirroring the Curve Wars flywheel. Bunni v2 launched on Ethereum, Base, and Arbitrum on or around February 2025 as the first DEX built atop Uniswap v4 hooks. Its key innovations included Liquidity Distribution Functions (LDFs) for custom liquidity shapes, rehypothecation of idle assets to Aave and Yearn, surge fees for MEV protection, and autonomous rebalancing. By August 2025 TVL had grown from approximately $2.2 million to a reported peak near $80 million.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":1,"name":"Bunni Docs — Introduction","type":"official","url":"https://docs.bunni.pro/docs/intro/"},{"credibility":1,"name":"GitHub — ZeframLou/bunni","type":"official","url":"https://github.com/ZeframLou/bunni"},{"credibility":2,"name":"Bunni v2 launch announcement on X","type":"official","url":"https://x.com/bunni_xyz/status/1885489587541385231"},{"credibility":2,"name":"IQ.wiki — Bunni","type":"news","url":"https://iq.wiki/wiki/bunni"}]},{"content":"On September 2, 2025, an attacker drained approximately $8.4 million from two Bunni v2 pools: the USDC/USDT pool on Ethereum ($2.4M) and the weETH/ETH pool on Unichain ($5.9M). The exploit involved a multi-phase attack. First, the attacker obtained a 3 million USDT flash loan from Uniswap v3 and executed a series of exact-input swaps to manipulate the USDC/USDT pool spot price to extreme levels. Second, 44 consecutive tiny withdrawals were processed that exploited a rounding-direction vulnerability in BunniHubLogic::withdraw() — the idle USDC balance was reduced by 85.7% (from 28 wei to 4 wei) despite burning only minimal liquidity shares, causing total pool liquidity to drop by roughly 84.4%. Third, large sandwiching swaps at the artificially depressed liquidity level extracted disproportionate value before the attacker repaid the flash loan. Stolen funds were deposited into Aave (receiving aTokens) and 1,366 WETH was bridged from Unichain to Ethereum via the Across protocol. The attacker's wallets were funded through Tornado Cash. Security firm CertiK identified the two Ethereum wallets holding stolen funds. Bunni paused all smart-contract functions approximately two hours after initial alerts.","heading":"September 2025 Flash-Loan Exploit ($8.4M)","severity":"critical","sources":[{"credibility":2,"name":"QuillAudits — Bunni V2 Exploit: $8.3M Drained via Liquidity Flaw","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit"},{"credibility":2,"name":"Halborn — Explained: The Bunni Hack (September 2025)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-bunni-hack-september-2025"},{"credibility":1,"name":"The Block — Bunni cites smart contract rounding error for $8.4 million flash loan exploit","type":"news","url":"https://www.theblock.co/post/369564/bunni-smart-contract-rounding-error"},{"credibility":2,"name":"Decrypt — Decentralized Exchange Bunni Pulls the Plug Following $8.4M Flash Loan Exploit","type":"news","url":"https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit"},{"credibility":2,"name":"Rekt News — Bunni Rekt","type":"research","url":"https://rekt.news/bunni-rekt"},{"credibility":2,"name":"CryptoNews — Bunni Hit by $8.4M Flash-Loan Exploit","type":"news","url":"https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/"}]},{"content":"Bunni v2 underwent multiple third-party security audits prior to launch and scaling, yet the vulnerability that caused the September 2025 exploit was not remediated. The Pashov Audit Group conducted a review in August–September 2024 and identified 45 issues including 6 critical findings. Trail of Bits completed an audit in January 2025 and explicitly flagged rounding and arithmetic concerns under finding TOB-BUNNI-13, described as a 'lack of systematic approach to rounding and arithmetic errors,' and TOB-BUNNI-9, which covered excess-liquidity manipulation. Trail of Bits reportedly recommended fixing rounding logic and increasing fuzz-testing coverage. Cyfrin conducted a primary audit in June 2025, identifying over 50 issues; their report noted it was 'statistically likely that there are more complex bugs still present' and explicitly recommended that Bunni not scale further without additional security work. A second Cyfrin review in July 2025 covered only the fee mechanism. Despite these recommendations, Bunni's TVL surged from roughly $2.4 million to $23.9 million in the immediate aftermath of the June 2025 Cyfrin audit, indicating that growth was prioritized over the auditors' cautionary guidance. The rounding-direction logic flaw that enabled the September 2025 attack was not caught in time by any of the auditing firms, even though the category of risk had been flagged.","heading":"Audit History and Pre-Exploit Warnings","severity":"high","sources":[{"credibility":2,"name":"Rekt News — Bunni Rekt (audit timeline)","type":"research","url":"https://rekt.news/bunni-rekt"},{"credibility":2,"name":"CryptoNews — Bunni Hit by $8.4M Flash-Loan Exploit (audit history)","type":"news","url":"https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/"},{"credibility":2,"name":"Pashov Audit Group — Bunni Security Review August 2024","type":"research","url":"https://github.com/pashov/audits/blob/master/team/md/Bunni-security-review-August.md"},{"credibility":3,"name":"Ainvest — The Bunni $8.4M Exploit: A Cautionary Tale for DeFi Innovation","type":"news","url":"https://www.ainvest.com/news/bunni-8-4m-exploit-cautionary-tale-defi-innovation-2509/"}]},{"content":"On October 10, 2025, Bunni's team announced permanent closure via a post on X. The team cited the prohibitive cost of a secure relaunch — estimated at six to seven figures in audit and monitoring expenses alone — combined with months of additional development and business-development effort, as costs they 'cannot afford.' Following the exploit, TVL fell from a reported $50.8 million to approximately $1.3 million, a decline of roughly 97%. As part of the wind-down: withdrawals remained open on the protocol's website; remaining treasury funds were committed to be distributed to BUNNI, LIT, and veBUNNI token holders (excluding the team); the v2 smart contracts were relicensed to MIT and open-sourced, including features such as Liquidity Distribution Functions, surge fees, and automated rebalancing; and the team stated it is cooperating with law enforcement to identify and pursue the attacker. An on-chain message offering the attacker a 10% bounty in exchange for return of the remaining 90% was sent but went unanswered. CoinDesk reported the shutdown on October 23, 2025.","heading":"Protocol Shutdown and Wind-Down","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk — Bunni DEX Shuts Down, Cites Recovery Costs After $8.4M Exploit","type":"news","url":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit"},{"credibility":2,"name":"Decrypt — Bunni Pulls the Plug Following $8.4M Flash Loan Exploit","type":"news","url":"https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit"},{"credibility":2,"name":"BeInCrypto — Bunni Exchange Closes Doors After $8.4 Million Hack","type":"news","url":"https://beincrypto.com/bunni-shutdown-defi-hack/"},{"credibility":2,"name":"CoinLaw — Uniswap V4-Based Bunni DEX Shuts Down After Devastating Exploit","type":"news","url":"https://coinlaw.io/bunni-dex-shutdown-after-8-4m-exploit/"}]},{"content":"Bunni was developed by Timeless Finance. The primary developer and apparent founder operates under the pseudonym Zefram Lou, also known by the handles ZeframLou (GitHub), boredGenius (X), and the ENS address zefram.eth. Zefram Lou's prior ventures include Sudoswap (an NFT AMM) and Betoken (an autonomous crypto hedge fund). No legal name has been publicly disclosed for the lead developer, and the broader team composition is not transparently documented. Operating under a pseudonymous identity is a recognized risk factor in DeFi, as accountability and legal recourse are limited if funds are lost. The pseudonymous structure did not appear to impede the team's cooperation with law enforcement following the exploit.","heading":"Team and Founder Identity","severity":"medium","sources":[{"credibility":2,"name":"GitHub — ZeframLou profile","type":"official","url":"https://github.com/ZeframLou"},{"credibility":2,"name":"RootData — Zefram Lou Introduction and Work History","type":"research","url":"https://www.rootdata.com/member/Zefram%20Lou?k=MTAwMTA%3D"},{"credibility":3,"name":"CypherHunter — Timeless Finance","type":"research","url":"https://www.cypherhunter.com/en/p/timeless-finance/"}]},{"content":"Bunni v1 introduced a Curve Wars-style incentive flywheel built on Uniswap v3. The native token LIT (Liquidity Incentive Token) could be vote-escrowed as veLIT (by locking the Balancer 80LIT-20WETH LP token) in exchange for boosted emission rewards of up to 10x and voting rights over gauge weights. External protocols could bribe veLIT holders to direct emissions toward their pools. In place of direct LIT emissions, Bunni distributed oLIT — a non-expiring call option allowing holders to purchase LIT from the treasury at a governance-set discount (50% as of December 2023). This mechanism was designed to build a protocol cash reserve and reward longer-term participants. Bunni v2 expanded the economic model with surge fees, rehypothecation yield from Aave and Yearn integration, am-AMM auction mechanisms, and auto-compounding. These features contributed to rapid TVL growth in mid-2025 but also increased the attack surface for economic exploits.","heading":"Tokenomics and Incentive Mechanism","severity":"medium","sources":[{"credibility":1,"name":"Bunni Docs — What is Bunni?","type":"official","url":"https://docs.bunni.pro/docs/intro/"},{"credibility":3,"name":"Mirror — How Bunni uses bribes and gauges on Uniswap v3 to incentivize liquidity","type":"research","url":"https://mirror.xyz/0x565D380416a2889b817C6Eb493f6DeeF029212Aa/6NuYiGnEF6NOgsx9QiLmkgGcdsV5nqnof0uPsw-Uw8E"},{"credibility":3,"name":"Medium — Decoding Bunni: The Future of Liquidity Provisioning in DeFi","type":"research","url":"https://golubevsergey.medium.com/decoding-bunni-the-future-of-liquidity-provisioning-in-defi-208ce3ab0ac2"},{"credibility":2,"name":"Bankless — Getting Started with Bunni v2","type":"news","url":"https://www.bankless.com/read/bunni-v2-liquidity"}]},{"content":"The Bunni exploit is among the larger DeFi hacks of 2025 and illustrates several recurring risk patterns. Multiple independent auditors identified arithmetic and rounding issues as concerns before the September 2025 attack; the protocol scaled aggressively rather than following explicit recommendations to conduct additional security work. The use of Tornado Cash-funded wallets by the attacker hampered on-chain fund recovery. The protocol's rapid TVL growth — from under $3 million to nearly $80 million in roughly three months — outpaced its security maturity. The decision to prioritize protocol growth over auditor guidance, and to build novel financial primitives (Liquidity Distribution Functions, rehypothecation) on a newly launched infrastructure layer (Uniswap v4), compounded the technical risk. The protocol is permanently shut down as of October 2025; no recovery of stolen funds has been publicly confirmed.","heading":"Broader DeFi Context and Risk Assessment","severity":"high","sources":[{"credibility":1,"name":"CoinDesk — Bunni DEX Shuts Down","type":"news","url":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit"},{"credibility":2,"name":"Yellow.com — Why DEX Exploits Cost $3.1B in 2025","type":"research","url":"https://yellow.com/research/why-dex-exploits-cost-dollar31b-in-2025-analysis-of-12-major-hacks"},{"credibility":2,"name":"Dynamis LLP — Bunni DEX Attack: Analyzing the $8.4M Flash-Loan Exploit","type":"research","url":"https://www.dynamisllp.com/knowledge/bunni-dex-hack-lessons-learned"}]}],"sources_used":[{"name":"Bunni Docs — Introduction","type":"official","url":"https://docs.bunni.pro/docs/intro/"},{"name":"GitHub — ZeframLou/bunni","type":"official","url":"https://github.com/ZeframLou/bunni"},{"name":"GitHub — Bunniapp/bunni-v2","type":"official","url":"https://github.com/Bunniapp/bunni-v2"},{"name":"CoinDesk — Bunni DEX Shuts Down","type":"news_article","url":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit"},{"name":"The Block — Bunni smart contract rounding error","type":"news_article","url":"https://www.theblock.co/post/369564/bunni-smart-contract-rounding-error"},{"name":"Decrypt — Bunni Pulls the Plug","type":"news_article","url":"https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit"},{"name":"Rekt News — Bunni Rekt","type":"research","url":"https://rekt.news/bunni-rekt"},{"name":"QuillAudits — Bunni V2 Exploit Analysis","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit"},{"name":"Halborn — Explained: The Bunni Hack","type":"research","url":"https://www.halborn.com/blog/post/explained-the-bunni-hack-september-2025"},{"name":"Pashov Audit Group — Bunni Security Review August 2024","type":"research","url":"https://github.com/pashov/audits/blob/master/team/md/Bunni-security-review-August.md"},{"name":"CryptoNews — Bunni $8.4M Flash-Loan Exploit","type":"news_article","url":"https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/"},{"name":"BeInCrypto — Bunni Exchange Closes Doors","type":"news_article","url":"https://beincrypto.com/bunni-shutdown-defi-hack/"},{"name":"RootData — Zefram Lou","type":"other","url":"https://www.rootdata.com/member/Zefram%20Lou?k=MTAwMTA%3D"},{"name":"IQ.wiki — Bunni","type":"other","url":"https://iq.wiki/wiki/bunni"},{"name":"Bankless — Getting Started with Bunni v2","type":"news_article","url":"https://www.bankless.com/read/bunni-v2-liquidity"},{"name":"Auditless Research — Bunni: How To Build a Leading Uniswap v4 Hook","type":"research","url":"https://research.auditless.com/p/bunni-how-to-build-a-leading-uniswap"},{"name":"Yellow.com — DEX Exploits $3.1B in 2025","type":"research","url":"https://yellow.com/research/why-dex-exploits-cost-dollar31b-in-2025-analysis-of-12-major-hacks"}],"summary":"Bunni Protocol is a Uniswap liquidity-incentive layer developed by Timeless Finance that evolved from a Uniswap v3 LP-token wrapper (v1) to a full DEX built on Uniswap v4 hooks (v2). On September 2, 2025, Bunni v2 suffered an $8.4 million flash-loan exploit caused by a rounding-direction vulnerability in its withdrawal mechanism — a class of issue that multiple auditors had flagged in advance. The team announced permanent shutdown in October 2025, citing the inability to fund the six-to-seven-figure re-audit required for a secure relaunch.","timeline":[{"date":"2022-01-01","event":"Bunni v1 launches on Ethereum, wrapping Uniswap v3 LP NFTs into fungible ERC-20 tokens and introducing the LIT/veLIT gauge-and-bribe system.","source":"Bunni Docs","source_url":"https://docs.bunni.pro/docs/intro/"},{"date":"2024-08-01","event":"Pashov Audit Group completes a Bunni v2 security review, identifying 45 issues including 6 critical findings.","source":"Pashov Audits GitHub","source_url":"https://github.com/pashov/audits/blob/master/team/md/Bunni-security-review-August.md"},{"date":"2025-01-01","event":"Trail of Bits audit flags rounding and arithmetic concerns (TOB-BUNNI-13) and excess-liquidity manipulation (TOB-BUNNI-9), recommending improved rounding logic and fuzz-testing coverage.","source":"Rekt News — Bunni Rekt","source_url":"https://rekt.news/bunni-rekt"},{"date":"2025-02-01","event":"Bunni v2 launches on Ethereum Mainnet, Base, and Arbitrum as the first DEX built on Uniswap v4 hooks.","source":"Bunni X announcement","source_url":"https://x.com/bunni_xyz/status/1885489587541385231"},{"date":"2025-06-01","event":"Cyfrin audit identifies 50+ issues and warns that 'complex bugs still present' are statistically likely, advising against further scaling without additional security work. TVL surges from $2.4M to $23.9M immediately after publication.","source":"CryptoNews","source_url":"https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/"},{"date":"2025-08-19","event":"Bunni v2 TVL reaches a reported peak near $80 million.","source":"BeInCrypto","source_url":"https://beincrypto.com/bunni-shutdown-defi-hack/"},{"date":"2025-09-02","event":"Flash-loan exploit drains $8.4M from Bunni v2 USDC/USDT pool (Ethereum, $2.4M) and weETH/ETH pool (Unichain, $5.9M) via a rounding-direction vulnerability in BunniHubLogic::withdraw(). Attacker wallets were funded through Tornado Cash.","source":"QuillAudits","source_url":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit"},{"date":"2025-09-02","event":"Bunni team pauses all smart-contract functions within two hours of initial exploit alerts and assembles a security war room. An on-chain message offers the attacker a 10% white-hat bounty; it goes unanswered.","source":"Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-bunni-hack-september-2025"},{"date":"2025-10-10","event":"Bunni team announces permanent shutdown on X, citing inability to fund a six-to-seven-figure secure relaunch. TVL has declined from $50.8M to $1.3M since the exploit.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit"},{"date":"2025-10-23","event":"CoinDesk reports on the Bunni shutdown. The team confirms remaining treasury will be distributed to token holders (excluding team), v2 contracts relicensed to MIT, and cooperation with law enforcement is ongoing.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 0ab1a8b4-652d-4044-949b-41cb752d77c0copy