The decentralized finance (DeFi) protocol Bunni DEX has officially ceased operations following a significant security breach. The team behind the project, Timeless, announced the permanent shutdown after a flash loan attack drained the protocol of its funds, leaving liquidity providers with substantial losses.

The decision to close the platform was communicated to the community after attempts to recover the stolen assets proved unsuccessful. The development team had tried to negotiate with the attacker for a potential return of the funds, but no agreement was reached, leading to the conclusion that the protocol could not be salvaged.

Details of the Security Exploit

The attack on Bunni DEX was executed using a flash loan, a common vector for exploits in the DeFi space. The attacker leveraged this uncollateralized loan to manipulate the protocol’s price oracles. The core vulnerability resided in the way Bunni processed price updates from Uniswap V3’s time-weighted average price (TWAP) oracles.

By manipulating the price feed, the attacker was able to drain the protocol’s liquidity pools. This method effectively tricked the smart contracts into undervaluing assets, allowing the hacker to extract them at a fraction of their market value, thereby depleting the platform’s resources.

Protocol Shutdown and Impact on Users

In the aftermath of the exploit, the Timeless team confirmed that the protocol was fully drained. With no viable path to recovery or to reimbursing affected users, the decision was made to shut down the Bunni DEX platform permanently. The front-end user interface was also taken offline as part of the decommissioning process.

The shutdown notice confirmed that the exploit resulted in significant financial losses for users who had provided liquidity to the exchange. The event underscores the persistent security risks associated with DeFi protocols and the direct impact such vulnerabilities can have on user funds.