Bunni V2

2024-08-01

Pashov Audit Group conducts security review of Bunni V2, identifying 45 issues including 6 critical findings.

2025-01-01

Trail of Bits completes audit of Bunni V2, explicitly flagging rounding and arithmetic error risks (findings TOB-BUNNI-13 and TOB-BUNNI-9) and recommending additional fuzzing.

2025-06-01

Cyfrin completes main audit of Bunni V2, identifying 50+ issues and recommending against deploying significant capital without a follow-up audit and stateful fuzzing suite.

2025-07-31

TVL surges from $2.4 million to $23.9 million immediately following publication of Cyfrin's audit, despite explicit warnings against scaling.

2025-08-19

Bunni V2 TVL reaches peak of approximately $80 million.

2025-09-01

Exploit begins. Attacker (primary address: 0x0C3d8fA7762Ca5225260039ab2d3990C035B458D) drains USDC/USDT pool on Ethereum (~$2.4M) and ETH/weETH pool on Unichain (~$6M) via rounding vulnerability in BunniHubLogic::withdraw(). BlockSec alerts the team; CertiK identifies the Unichain component approximately one hour later.

2025-09-01

Bunni pauses all smart contract functions approximately two hours after the initial BlockSec alert. Stolen ETH begins bridging from Unichain to Ethereum via Across Protocol in 100 ETH increments.

2025-09-02

Bunni confirms only two pools were compromised. Team offers attacker a 10% recovery bounty; offer is rejected. Stolen funds traced to Tornado Cash-funded wallets, preventing identity attribution.

2025-10-23

Bunni announces permanent shutdown. Team cites inability to afford 'six to seven figures' in relaunch costs. TVL had fallen 97.44% from $50.82M to $1.3M in the intervening month.

2025-10-23

Bunni open-sources V2 smart contracts under MIT license. Team states it will distribute approximately $2 million in remaining treasury to BUNNI, LIT, and veBUNNI token holders (excluding team).