Venus Protocol and Bunni DEX Hacked, Loss of More Than $21 Million

This article is machine translated

Show original

Venus Protocol and Bunni DEX have just encountered serious security issues, causing tens of millions of dollars in losses and forcing them to temporarily suspend operations for processing.

Venus Protocol: Whales Lost $13.5 Million in Phishing

On the evening of September 2, one of the largest lending protocols on BNB Chain, Venus Protocol , had to suspend all operations after a “whale” lost approximately $13.5 million in assets deployed by the Venus protocol including vUSDT, vUSDC, vWETH, and vFDUSD in a phishing attack.

We are aware of the user wallet being drained (smart contract is safe) and are actively investigating.

Venus is currently paused following security protocols. We will keep you all updated as soon as we know more.
— Venus Protocol (@VenusProtocol) September 2, 2025

Incident details

According to security firm PeckShield , the victim unwittingly signed a malicious transaction, opening the attacker's wallet address (0x7fd…6202a) to withdraw assets.
- This transaction gives the hacker full access to the Token in the wallet.
- CertiK said the victim's wallet called the updateDelegate function, officially granting the hacker permission before the entire amount was wiped out.

In total, the amount of assets withdrawn is estimated at $13.5 million. This is a very common form of phishing in DeFi: the attacker only needs one approve signature, then can continuously withdraw funds until the permission is revoked.

Response from Venus Protocol

Immediately after the incident, Venus quickly issued an announcement:
- Pause the entire protocol as per security procedure.
- Affirmation : “ Venus is not exploited. This is a phishing attack targeting individual users. The smart contract is still safe.”
- Said to have contacted the victim directly to find solutions to protect and restore assets.

The team stressed that if the protocol was reopened immediately, the hacker would have access to the remaining funds in the phishing wallet. Therefore, the decision to temporarily suspend operations was deemed necessary.

In addition, Venus also launched Lightning Vote to vote on the community's emergency plan and support users in the protocol and received 100% consensus . The specific plan includes:

Recovery results

After 5 hours, Venus announced allowing users to adjust positions.
At 9:58 PM UTC, reopen the entire protocol including withdrawals and liquidations.
Notably, Venus said the protocol recovered all of the lost funds by force-liquidating the hacker's wallet – that is, forcing the attacker to liquidate his borrowing position to recover his assets.
Immediately after the information was announced, the XVS Token price plummeted to $5.84. However, thanks to the quick processing of the Venus team, the price soon recovered to the $6 mark.

XVS price movement in the last 24 hours, screenshot on CoinGecko at 10:30 AM on 03/09/2025

Bunni DEX: Multichain hacked, $8.4 million in damage

Also on the same day, the Bunni DEX exchange had to suspend all smart contract operations after being hacked on a multichain, causing the project to lose about $8.4 million.

🚨 The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.
— Bunni (@bunni_xyz) September 2, 2025

Incident details

According to blockchain security firm CertiK , the attack targeted BunniHub, Bunni's main contract system.
On Ethereum, the loss alone was $6 million from the USDC/ USDT pool, while the ETH/weETH pool on Unichain saw another $2.3 million drained. In total, the estimated loss is $8.3–$8.4 million.
The withdrawals were traced to two Ethereum wallets. The identity of the attacker is unknown, but on-chain analysts believe it was a deliberate exploit, not an accidental bug.
The project team confirmed that they are closely monitoring transactions in the two wallets and sending on-chain messages directly to the hackers.

Bunni pauses all smart contracts for investigation

Immediately after discovering the issue, the Bunni development team announced:

“The Bunni app has been impacted by a security breach. As a precautionary measure, we have suspended all smart contract functionality on all networks. Withdrawals are currently unavailable. The team is actively investigating and will provide an update as soon as possible.”

The project also said it is working with several major security partners, including Seal 911, Hypernative, Cyfrin Audits, Impossible, and BlockSec, to set up emergency “war rooms” and diagnose the cause.

Hack results

Since the last announcement was made about 20 hours ago, the Bunni team said they are still actively investigating. However, the specific cause of the hack, the actual total damage, and the compensation plan for users are still unclear.
Following the above news, BUNNI price has plunged more than 42.9% in the past 24 hours and is currently hovering around $0.006415.

BUNNI price movement in the last 24 hours, screenshot on CoinGecko at 10:40 AM on 03/09/2025

Coin68 synthesis

Sector:

Lending & Borrowing

Yield Farming

Privacy

Source

Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.

Add to Favorites

Comments

Relevant content

Coin68

Vietnam maintains its position in the top 5 countries with the highest crypto adoption rate...

9.18%

The Defiant

CARDS Token Soars as Traders Flock to Tokenized Pokémon Card Platform

FLOCK

3.87%

Bitpush

ABTC is reaping the rewards as soon as it goes public, and the Trump family win big again.

ABTC

18.71%