The attack affected the asset’s liquidity pool paired with BNB

​SafeMoon token plummets by 26% after an $8,9 million exploit

29.03.2023 - 08:00


4 min

What’s new? On March 28, decentralized exchange (DEX) SafeMoon on the BNB Chain lost $8,9 million due to a liquidity pool (LP) exploit. According to PeckShield, a cybersecurity company, the cause was a vulnerability in the token burning mechanism, and the attack itself was initiated using the address of the project’s developer. PeckShield admitted that the reason was a leak of the administrator’s key. As a result of the incident, the price of the SafeMoon exchange token under the ticker SFM has plummeted by 25,7% in the past 24 hours, with the asset trading at $0,0001847, according to aggregator CoinGecko.

How was the attack carried out? A Web 3.0 developer under the nickname DeFi Mark stated that the attacker used the burn function to remove exchange tokens SFM from the liquidity pool paired with wrapped BNB (WBNB) tokens, thereby artificially inflating the price of SFM. DeFi Mark specified that the mistake allowed the hacker to burn tokens from any other address. He then sold the overpriced SFM into the same liquidity pool, thus withdrawing any remaining WBNB. The developer added that this was “an extremely elementary exploit” to which many DeFi contracts have already fallen victim.

SafeMoon CEO John Karony confirmed that the incident affected the SFM/BNB token pool. He said the team discovered and fixed the vulnerability and brought in outside experts to assess the nature and scope of the exploit. He assured the community that the exchange’s other liquidity pools were not affected, and the SafeMoon crypto wallet is still safe to use.

Hours after the exploit, the hackers said that the attack was accidental and that they intend to return the funds. “We would like to return the fund, setup secure communication channel, lets talk,” was the message they attached to a transfer to the SafeMoon developer, cybersecurity company CertiK said. In the next transaction, the hackers sent 4000 BNB, or more than $1,26 million at the exchange rate as of March 29, at 07:30 UTC.

Notably, the day before, a hacker who withdrew $200 million from the project had contacted the developers of the Euler DeFi protocol for the second time. He apologized for the incident and returned about half of the stolen funds in cryptocurrencies.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy