​SafeMoon token plummets by 26% after an $8,9 million exploit

What’s new? On March 28, decentralized exchange (DEX) SafeMoon on the BNB Chain lost $8,9 million due to a liquidity pool (LP) exploit. According to PeckShield, a cybersecurity company, the cause was a vulnerability in the token burning mechanism, and the attack itself was initiated using the address of the project’s developer. PeckShield admitted that the reason was a leak of the administrator’s key. As a result of the incident, the price of the SafeMoon exchange token under the ticker SFM has plummeted by 25,7% in the past 24 hours, with the asset trading at $0,0001847, according to aggregator CoinGecko.

Hi @safemoon The upgrade, with the exploited public burn bug, was initiated by the official SafeMoon: Deployer. (Admin key leak?) And here comes the upgrade tx. https://t.co/ffAhm9qhgG https://t.co/KYEiYxMRII pic.twitter.com/9CQhseircP — PeckShield Inc. (@peckshield) March 28, 2023

How was the attack carried out? A Web 3.0 developer under the nickname DeFi Mark stated that the attacker used the burn function to remove exchange tokens SFM from the liquidity pool paired with wrapped BNB (WBNB) tokens, thereby artificially inflating the price of SFM. DeFi Mark specified that the mistake allowed the hacker to burn tokens from any other address. He then sold the overpriced SFM into the same liquidity pool, thus withdrawing any remaining WBNB. The developer added that this was “an extremely elementary exploit” to which many DeFi contracts have already fallen victim.

#Safemoon was just hacked for $8.9M.After two minutes looking at the newest Safemoon contract, I was able to identify the extremely obvious exploit.The attacker took advantage of the public burn() function, this function let any user burn tokens from ANY other address (code… pic.twitter.com/bovlyVoq1i — DeFi Mark (@MoonMark_) March 28, 2023

SafeMoon CEO John Karony confirmed that the incident affected the SFM/BNB token pool. He said the team discovered and fixed the vulnerability and brought in outside experts to assess the nature and scope of the exploit. He assured the community that the exchange’s other liquidity pools were not affected, and the SafeMoon crypto wallet is still safe to use.

To our valued community,As you may be aware, on Tuesday 28 March, SafeMoon’s Liquidity Pool was compromised. We have taken swift action to resolve the situation and protect our community. I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool.… — John Karony (@CptHodl) March 29, 2023

Hours after the exploit, the hackers said that the attack was accidental and that they intend to return the funds. “We would like to return the fund, setup secure communication channel, lets talk,” was the message they attached to a transfer to the SafeMoon developer, cybersecurity company CertiK said. In the next transaction, the hackers sent 4000 BNB, or more than $1,26 million at the exchange rate as of March 29, at 07:30 UTC.

#CertiKSkynetAlert 🚨An upgrade on @safemoon contract introduced a burn vulnerability. This upgrade was not within the scope of our audit.Original attacker was front-run by EOA 0x286 who has reached out to the @safemoon deployer to return the ~$8m. Stay vigilant! pic.twitter.com/F41vNL6kpK — CertiK Alert (@CertiKAlert) March 29, 2023

Notably, the day before, a hacker who withdrew $200 million from the project had contacted the developers of the Euler DeFi protocol for the second time. He apologized for the incident and returned about half of the stolen funds in cryptocurrencies.