← Bunni V21 decision on this page

Audit log

Every state-changing event for Bunni V2: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1publishby system:backfill
2026-05-26 18:30:16Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 422,338,806
sig
3YtD1TM99A8S…3CLHZNVZexplorer ↗
hash
9zeFfcifXdzT…N1jEmENKsha256 → base58
verifying row…full verify ↗
canonical bytes (6836 B) ▸
{"actor":"system:backfill","investigation_id":"9f4df275-1d5e-4903-a228-f97d5f29afd8","kind":"publish","page_slug":"bunni-v2","published_at":"2026-05-26T18:30:16.168Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Bunni V2","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://rekt.news/bunni-rekt","type":"other","url":""},{"credibility":3,"name":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/bunni-hit-by-8-4m-flash-loan-exploit-rounding-error-blamed/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://rekt.news/bunni-rekt","type":"other","url":""},{"credibility":3,"name":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit","type":"other","url":""},{"credibility":3,"name":"https://quillaudits.medium.com/bunni-v2-exploit-8-3m-drained-50acbdcd9e7b","type":"other","url":""},{"credibility":3,"name":"https://www.resonance.security/blog-posts/bunni-dex-hack-when-custom-liquidity-logic-pays-out-fantasy-money","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://rekt.news/bunni-rekt","type":"other","url":""},{"credibility":3,"name":"https://docs.bunni.xyz/docs/v2/audits/","type":"other","url":""},{"credibility":3,"name":"https://solodit.cyfrin.io/issues/dirty-bits-of-narrow-types-are-not-cleaned-trailofbits-none-bunni-v2-pdf","type":"other","url":""},{"credibility":3,"name":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://rekt.news/bunni-rekt","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit","type":"other","url":""},{"credibility":3,"name":"https://www.quillaudits.com/blog/hack-analysis/bunni-v2-exploit","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.coindesk.com/business/2025/10/23/bunni-dex-shuts-down-cites-recovery-costs-after-usd8-4m-exploit","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/345621/decentralized-exchange-bunni-pulls-the-plug-following-8-4m-flash-loan-exploit","type":"other","url":""},{"credibility":3,"name":"https://beincrypto.com/bunni-shutdown-defi-hack/","type":"other","url":""},{"credibility":3,"name":"https://en.coinotag.com/bunni-dex-winds-down-after-8-4m-exploit-open-sources-v2-contracts-under-mit/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://github.com/Bunniapp/bunni-v2","type":"other","url":""},{"credibility":3,"name":"https://bunni.pro/","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/bunni-v2","type":"other","url":""},{"credibility":3,"name":"https://www.bankless.com/read/bunni-v2-liquidity","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://getfailsafe.com/bunni-hack-liquidity-risks","type":"other","url":""},{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-bunni-hack-september-2025","type":"other","url":""},{"credibility":3,"name":"https://www.dynamisllp.com/knowledge/bunni-dex-hack-lessons-learned","type":"other","url":""},{"credibility":3,"name":"https://www.onesafe.io/blog/bunni-defi-exploit-security-lessons","type":"other","url":""}]}],"sources_used":[],"summary":"Bunni V2 was a decentralized exchange and liquidity layer built on Uniswap v4, developed by Timeless Finance. On September 1-2, 2025, the protocol suffered a critical exploit draining approximately $8.4 million across Ethereum and Unichain through a rounding-direction vulnerability in its withdrawal mechanism. The team permanently shut down the protocol on October 23, 2025, citing inability to finance a secure relaunch after the exploit erased 97% of TVL.","timeline":[{"date":"2024-08-01","event":"Pashov Audit Group conducts security review of Bunni V2, identifying 45 issues including 6 critical findings.","source":""},{"date":"2025-01-01","event":"Trail of Bits completes audit of Bunni V2, explicitly flagging rounding and arithmetic error risks (findings TOB-BUNNI-13 and TOB-BUNNI-9) and recommending additional fuzzing.","source":""},{"date":"2025-06-01","event":"Cyfrin completes main audit of Bunni V2, identifying 50+ issues and recommending against deploying significant capital without a follow-up audit and stateful fuzzing suite.","source":""},{"date":"2025-07-31","event":"TVL surges from $2.4 million to $23.9 million immediately following publication of Cyfrin's audit, despite explicit warnings against scaling.","source":""},{"date":"2025-08-19","event":"Bunni V2 TVL reaches peak of approximately $80 million.","source":""},{"date":"2025-09-01","event":"Exploit begins. Attacker (primary address: 0x0C3d8fA7762Ca5225260039ab2d3990C035B458D) drains USDC/USDT pool on Ethereum (~$2.4M) and ETH/weETH pool on Unichain (~$6M) via rounding vulnerability in BunniHubLogic::withdraw(). BlockSec alerts the team; CertiK identifies the Unichain component approximately one hour later.","source":""},{"date":"2025-09-01","event":"Bunni pauses all smart contract functions approximately two hours after the initial BlockSec alert. Stolen ETH begins bridging from Unichain to Ethereum via Across Protocol in 100 ETH increments.","source":""},{"date":"2025-09-02","event":"Bunni confirms only two pools were compromised. Team offers attacker a 10% recovery bounty; offer is rejected. Stolen funds traced to Tornado Cash-funded wallets, preventing identity attribution.","source":""},{"date":"2025-10-23","event":"Bunni announces permanent shutdown. Team cites inability to afford 'six to seven figures' in relaunch costs. TVL had fallen 97.44% from $50.82M to $1.3M in the intervening month.","source":""},{"date":"2025-10-23","event":"Bunni open-sources V2 smart contracts under MIT license. Team states it will distribute approximately $2 million in remaining treasury to BUNNI, LIT, and veBUNNI token holders (excluding team).","source":""}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 1746d8ee-33a3-4f3f-8bdc-8490f0a991e4

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.