Posted on March 29, 2023 at 8:34 PM
SafeMoon loses $8.9 million from its liquidity pool due to a bugged burn feature
Yesterday, March 29th, crypto project SafeMoon reported that its liquidity pool lost $8.9 million in a hacking attack that supposedly abused a bug in the project’s new burn feature. The feature was created in order to reduce the supply of the project’s token, thus artificially inflating its price. It was built into a separate smart contract which the cryptocurrency can be sent into, but it cannot be retrieved from.
The burning mechanism is a common part of crypto projects, and it is typically used to reduce the circulating supply and increase the value of tokens held by the users.
Meanwhile, liquidity pools are also common among DeFi platforms, and they represent large deposits of cryptocurrency. These funds facilitate trading, provide market liquidity, and allow crypto exchanges to operate without having to borrow from a third party. Their community stores their own extra funds in the pool, and in exchange, they get rewards, while the exchange can immediately satisfy market orders.
Now, SafeMoon confirmed that its liquidity pool was robbed in a security incident, and that the project is working on resolving the issue.
John Karony, the project’s CEO, said that the attack took place on March 28th and that it had affected the SFM:BNB pool. However, the platform’s exchange was not involved in the incident. In his statement, he noted that the project had identified the exploit that the hacker used, and that the vulnerability was patched immediately after that.
However, the platform is still in the process of identifying the nature and exact extent of the exploit. Addressing the users’ concerns, Karony said that their tokens remain safe. The project’s other liquidity pools have also not been affected by the attack, and the same is true for upcoming upgrades and releases.
What is known about the exploit?
Details about the exploit have been released by the security experts at PeckShield. They said that the recent update introduced a smart contract feature that burns tokens for the project, but the function was not set up properly. Apparently, it was set to the public without restrictions, which means that anyone was able to execute it at will.
Karony noted that the system was only meant to be used in emergencies, such as in cases when the liquidity pool encounters risks due to malicious smart contracts, when there is excessive slippage, and in similar situations. However, the hacker used the function to burn SafeMoon tokens — a large amount of it, at that — which resulted in a major boost in the value of the token.
As the price skyrocketed, another address sold SafeMoon tokens at this increased value, which drained $8.9 million from the SafeMoon:WBNB liquidity pool.
In the hours after the attack, the person who converted the project’s cryptocurrency into BNB stated that they were not the one who initially attacked SafeMoon. Instead, they accidentally performed a front run following the artificial inflation caused by the exploit.
For the moment, there is still some confusion involving the incident. It remains unclear if the owner of the address is the person who performed the attack, or someone else who somehow got involved with the entire incident. However, what is known is that this person offered to return the stolen funds to SafeMoon.
They performed a transaction with a message for SafeMoon that said: “Hey relax, we are accidentally frontrun an attack against you, we would like to return the fund, setup a secure communication channel , lets talk.”
Since then, this individual has transferred 4,000 BNB coins, which is worth $1,264,440 according to the price at the time. The funds went to a different address, which made the frontrun look somewhat less accidental.