BunniXYZ Ethereum exchange suffers $2.3M breach

The BunniXYZ Ethereum exchange saw a series of unauthorized outflows. On-chain investigators identified the event as a hack, with losses of around $2.3M. 

BunniXYZ, an Ethereum decentralized exchange, has been exploited through one of its smart contracts. The hacker moved mostly stablecoins, for a total loss of $2.3M. 

Based on the transaction history, the hacker attacked USDT and USDC vaults, then moved the tokens through the Ethereum ecosystem, ending up with a mix of ETH and stablecoins. Within the first minutes, the BunniXYZ project recognized the attack against its app, closing all smart contracts. 

Soon after the hack, the exploiter continued to swap funds into ETH through other DeFi protocols. 

In the hour after the attack, the hacker did not yet move or mix the funds, except for the initial movements through DeFi protocols. The attack against BunniXYZ is part of the latest series of relatively minor hacks, stealing less than $10M. 

Even the relatively small attacks often cost the reputation of protocols and destroy new DeFi hubs. One of the most recent smart contract exploits was against BetterBank, as Cryptopolitan reported. Such attacks raise suspicions of insider jobs, or malicious code injected into Web3 by DPRK hackers. 

BunniXYZ attacked at the peak

BunniXYZ is a DEX using both Ethereum and Unichain. The new market also uses the Uniswap V4 technology to create special vaults and markets with more complex trading rules. 

As with other markets, BunniXYZ was attacked soon after reaching a local peak of value locked. At the end of August, the exchange carried up to $60M in its vaults. The market was still relatively small, after launching in February and finding its place among new DeFi protocols. 

August was also one of the most successful months for the DEX, with over $1B in volumes. The exchange was specifically building liquidity for rehypothecation, while avoiding liquidations during market downturns. The DEX liquidity was also linked to Euler Protocol for passive income.

BunniXYZ rode on the expanded volumes of Uniswap V4, as the protocol drew in over $393M to its vaults on Ethereum and $298M on Unichain.

Hacker exploited BunniXYZ liquidity calculation

Post-hack analysis showed BunniXYZ was vulnerable due to its specific liquidity recalculation contract. The DEX is a liquidity hook, using the Uniswap V4 technology. However, instead of using Uniswap’s liquidity calculation, BunniXYZ recalculates the Liquidity Distribution Function. 

The exploiter discovered the Liquidity Distribution Function could break from trades of specific sizes. This meant the smart contract would pay out more tokens from the liquidity pool than owned in reality, ending up draining the exchange. The attacker had to repeat multiple transactions to finally accrue $2.3M, then swap them out for ETH. He then ended up depositing the ETH into Aave, holding $1.33M in AethUSDC and $1M in AethUSDT based on the wallet’s final balance. 

BunniXYZ has undergone previous audits, but the LDF bug may have arrived with a later version of the exchange. The most probable cause is a precision bug, which required the hacker to perform multiple transactions to accrue a bigger balance based on the flawed recalculation.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites