DeFi Security: $30M Phishing Attack & $8.4M DEX Exploit

DeFi Hit by Dual Security Incidents: Phishing and Exploit

The decentralized finance (DeFi) space has been rocked by two separate security incidents, highlighting the ongoing risks for users and protocols alike. A user of Venus Protocol lost approximately $30 million in assets due to a sophisticated phishing scam, while Bunni, a DEX built on Uniswap v4, experienced an exploit resulting in losses of over $8.4 million.

Venus Protocol User Falls Victim to Phishing Scam

Initial speculation suggested a protocol hack on Venus Protocol. However, blockchain security analysts at Cyvers clarified that the incident stemmed from a user-side error, not a vulnerability in the Venus Protocol itself.

Details of the Attack

The attacker tricked the user into approving a malicious transaction, granting unlimited permissions to transfer assets from the compromised wallet. The stolen tokens included:

• $19.8 million in vUSDT
• $7.15 million in vUSDC
• $146,000 in vXRP
• $22,000 in vETH
• 285 BTCB

DeFi analyst Ignas confirmed that Venus Protocol functioned as intended. The exploit leveraged pre-approved authorizations from the user's wallet.

The crypto community is reiterating the importance of revoking approvals regularly, avoiding suspicious links, and utilizing hardware wallets for enhanced security.

According to Hakan Unal, Senior Security Operation Lead at Cyvers, “This incident demonstrates that even experienced DeFi users remain vulnerable to sophisticated phishing schemes. By tricking the victim into granting token approvals, the attacker was able to drain $27M from a Venus Protocol in a single transaction.”

Bunni DEX Exploited for $8.4 Million

In a separate incident, Bunni, a decentralized exchange (DEX) on Uniswap v4, suffered a genuine protocol-level exploit. This resulted in a loss of over $8.4 million across Ethereum and UniChain.

Bunni's Response

Bunni has paused all smart contract functions across its networks while investigating the exploit.

Technical Details

GoPlus Security identified the exploit's origin in weaknesses within Bunni’s custom Liquidity Distribution Function (LDF). Blockchain developer Victor Tran explained that the attacker manipulated the liquidity curve with carefully sized trades, triggering miscalculations during liquidity rebalancing.

This allowed the attacker to withdraw more tokens than permitted, effectively draining liquidity pools. While Bunni's hook was compromised, Uniswap v4 itself remained unaffected.

Key Takeaways

These incidents highlight the critical need for both user education and robust protocol security in DeFi. The Venus Protocol case emphasizes the human element, while the Bunni exploit underscores the risks associated with novel and complex mechanisms.

As the DeFi sector grows, vigilance and rigorous security practices are essential. For developers, thorough audits—such as those offered by Codeum—are crucial for identifying vulnerabilities before they can be exploited.