The Safemoon token liquidity pool (LP) was depleted of over $9 million in SFM tokens late Tuesday after attackers exploited a flaw in its smart contracts.
SafeMoon is a DeFi-focused project that promises to provide investors with a chance to earn interest on their holdings through token burning, LP purchase, and redistribution. Safemoon was one of the top gainers in the 2021 bull market.
The Defi project did not specify the precise source of this incident; however, they did state that they were acting quickly to try to fix the problem as soon as possible.
Meanwhile, other parties have commented on the matter, including the security firm PeckShield, which said that a contract upgrade introduced a public burn bug, presumably allowing anyone to wipe out tokens.
The upgrade, according to PeckShield, was triggered via the deployer contract, and they raised the possibility of an admin key leak.
Another developer, DeFi Mark, the CEO of Dappd, identified the exploit’s primary cause as a flawed burn function on Safemoon’s smart contracts. He said,
#Safemoon was just hacked for $8.9M.
After two minutes looking at the newest Safemoon contract, I was able to identify the extremely obvious exploit.
The attacker took advantage of the public burn() function, this function let any user burn tokens from ANY other address (code… pic.twitter.com/bovlyVoq1i
— DeFi Mark (@MoonMark_) March 28, 2023
“The attacker took advantage of the public burn function; this function let any user burn tokens from ANY other address (code attached).”
The developer said that the attacker removed SFM tokens from the Safemoon-WBNB Liquidity Pool using this function, fraudulently inflating SFM’s price, and then selling it at a “grossly overpriced rate.“
Safemoon (SFM) token, DEX, and wallet remain safe
Through his personal Twitter handle, SafeMoon CEO John Karony (also known as Captain Hodl) reiterated that they have taken immediate steps to rectify the issue and safeguard their community.
He informed customers that only the SFM: BNB LP pool was ultimately impacted and that their native decentralized exchange (DEX) remained safe.
To our valued community,
As you may be aware, on Tuesday 28 March, SafeMoon’s Liquidity Pool was compromised. We have taken swift action to resolve the situation and protect our community. I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool.…
— John Karony (@CptHodl) March 29, 2023
Other LP pools on the DEX and SafeMoon Wallet, secured by Orbital Shield, have not been affected, and neither have any of their upcoming upgrades or releases. He reassured the community members that their digital assets would be protected in the SafeMoon Wallet going forward.
John Karony further maintained that his team has met with key advisors to agree on a plan that protects token holders and the community. He noted,
“We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit.”
SFM token declines
SafeMoon’s native token (SFM) has been relatively harmed by the announcements, falling by almost 20% on CoinMarketCap before slightly recovering at the time of this writing. SFM currently trades at $0.0001999, a decline of 13.62% in the last 24 hours.
Despite the decline in SFM’s value, the team’s prompt actions have been commended by some members of the community, who have expressed confidence in SafeMoon’s ability to recover from this setback. However, others remain skeptical and are closely monitoring the situation for any further developments.