Overview
- Users can still withdraw through the website, with a snapshot-based treasury distribution planned for BUNNI, LIT, and veBUNNI holders pending legal review and excluding the team.
- The September 2 attack exploited the Liquidity Distribution/Density Function across Ethereum and Unichain using flash loans, numerous tiny withdrawals, and a sandwich-style sequence.
- Earlier audits by Trail of Bits and Cyfrin did not catch what the team described as a logic-level flaw rather than an implementation bug.
- Bunni relicensed its v2 smart contracts from BUSL to MIT, making features such as LDFs, surge fees, and autonomous rebalancing available to other developers.
- A 10% bounty offer for the return of funds went unanswered, and the team says it is working with law enforcement to track the exploiter and pursue recovery.