Decentralized Exchange SafeMoon Exploited in $8.9 Million Hack
Binance Smart Chain (BSC) based decentralized exchange SafeMoon was exploited in a smart contract attack that led to BNB worth $8.9 million being stolen from one of its liquidity pools (LPs). SafeMoon confirmed news about the attack via Twitter on March 29.
Addressing the “SafeMoon community”, the company said its SafeMoon-WBNB LP had been compromised and that it was taking “swift action” to resolve the issue as soon as possible.
Jake Paul Endorsed DEX Hacked After Introducing Bug in Latest Protocol Update
Blockchain security firm Peckshield said the hack was the result of a “public burn bug” that was introduced in the protocol’s latest upgrade. Peckshield also noted that the faulty upgrade transaction was initiated by an official SafeMoon Deployer, indicating a possible admin key leak might have led to the DEX being compromised.
The on-chain security expert suspects the hacker to have exploited the public mint bug to artificially raise the price of Safemoon’s native asset SFM using a code function.
The investigator assumes the culprit to have then sold enough tokens back to the liquidity pool to drain 27,000 wrapped BNB (WBNB) from the smart contract, all in a single transaction.
In a detailed explanation given to crypto news outlet The Block, Peckshield said that by exploiting the public mint bug, the attacker could burn most SFM in the pair, which simultaneously increased the token’s price.
The hacker basically purchased the tokens at the beginning, exploited the bug to raise its price, and then sold the SFM back to the protocol at a profit to take out more than $8.9 million worth of BNB.
Hours after the attack, the hacker posted a message on the smart contract saying they “accidentally front run” an attack against SafeMoon and was willing to return the stolen funds. The attacker asked the team to set up a secure communication channel to negotiate a deal and has since transferred 4,000 BNB worth $1.26 million back to exchange.
Crypto Community Suspects Rug-Pull by an Already Sketchy Project
However, not everyone in the crypto community is buying the story. Security expert and U.S. Army Veteran who goes by the name ‘theonlyjonathan’ on Twitter allege the situation to have been a definite rug-pull attempt by SafeMoon.
He says that the apparent bug was a feature intentionally added by the development team. Jonathan claims that SafeMoon has been active in the DeFi space for long enough to understand the bug and expressed that he always felt suspicious about the project.
Other users also shared the same opinion, stating that SafeMoon has always been “sketchy” in with its operations and the apparent exploit was an inside job.
SafeMoon CEO John Karony assured customers that their funds are safe on the DEX. He asserted that the team met with key advisors to agree on a plan to protect SFM token holders that were invested in the SFM:BNB LP pool.
Karony noted that the team has since located the suspected exploit, patched the smart contract vulnerability, and is in contact with blockchain forensic consultants to determine the “precise nature and extent” of the hack.
The SafeMoon chief assured users that all tokens deposited in other liquidity pools on the DEX, and upcoming upgrades and releases to the protocol remain unaffected by the exploit. He also urged customers to continue using the SafeMoon Wallet to store their crypto assets.
Investors have been advised not to deposit any funds in the protocol until the SafeMoon team officially announces a resolution.
Twitter user ‘MoonMark_’ criticized the DEX for not employing “capable developers”, instead relying on amateurs to create smart contracts and upgrade the protocol and paying them on a project-by-project basis. Stablecoin arbitrage trader Christopher Rossel replied to the tweet asking how the multi-million dollar crypto platform did not have access control over its burn function.
When it launched in 2021, SafeMoon was endorsed by a host of celebrities and social media influencers like YouTuber Jake Paul and rapper Soulja Boy.
However, in February 2022, a class-action lawsuit was filed by investors against musicians Nick Carter, Soulja Boy, Lil Yachty, and YouTubers Jake Paul and Ben Philips for allegedly mimicking a real-life Ponzi scheme by misleading them to purchase SFM tokens under the pretext of unrealistic profits.
The price of SFM has tanked since the DEX was hacked. At the time of writing, SafeMoon is trading at 0.000189 – down over 20% in the last 24 hours. The token currently has a market cap of $105 million.