A hacker has made off with $8.9 million worth of digital assets after exploiting a vulnerability in the BNB chain-based DeFi exchange Safemoon.
According to crypto security firm Peckshield, the attacker exploited a public burn function introduced in the latest upgrade.
The function included a bug that allowed the hacker to compromise the project’s liquidity pool and drain almost $9 million worth of assets.
Hi @safemoon The upgrade, with the exploited public burn bug, was initiated by the official SafeMoon: Deployer. (Admin key leak?) And here comes the upgrade tx. https://t.co/ffAhm9qhgG https://t.co/KYEiYxMRII pic.twitter.com/9CQhseircP
— PeckShield Inc. (@peckshield) March 28, 2023
Web3 developer DeFi Mark further explained that the attacker used the vulnerability to remove SafeMoon (SFM) tokens, causing an artificial spike in the token’s price.
The attacker took advantage of the situation and sold off the tokens at an inflated price.
“The attacker used this function to remove SFM tokens from the Safemoon-WBNB Liquidity Pool, artificially raising the price of SFM,” the crypto guru said.
“The attacker was then able to sell SFM into this LP at a grossly overpriced rate within the same transaction, wiping out the remaining WBNB in the liquidity pool.”
In a recent tweet, the team behind Safemoon confirmed the hack, noting that the project’s LP was compromised.
Without revealing further details about the attack, SafeMoon confirmed undertaking steps “to resolve the issue as soon as possible.”
To the @SAFEMOON community: We want to inform you that our LP has been compromised.
— SafeMoon (@safemoon) March 28, 2023
We are taking swift action in an attempt to resolve the issue as soon as possible. Follow here for updates.
Thank you for your support as we work to address this situation.
Safemoon describes itself as a community-driven DeFi protocol that features a deflationary utility token, SFM. It runs on the BEP-20 token standard, built on the Binance Smart Chain (BSC).
The project was launched in the first quarter of 2021 and came with several features such as static rewards, liquidity pool acquisition, and burn strategy.
Notably, the project was previously endorsed by a number of high-profile celebrities and social influencers such as Jake Paul and Soulja Boy.
However, the project has been the center of scandals and legal issues as of late.
A lawsuit from February 2022 alleged that musicians such as Nick Carter, Soulja Boy, Lil Yachty, and YouTubers Jake Paul and Ben Phillips mimicked real-life Ponzi schemes by misleading investors to purchase SafeMoon (SFM) tokens under the pretext of unrealistic profits.
Safemoon Leadership Under Fire
In May last year, internet detective Coffeezilla made a string of allegations against SafeMoon’s founder, lead developer, and CEO, claiming that the leadership used funds intended for SafeMoon’s liquidity pool to enrich themselves.
SafeMoon’s founder, who is known as Kyle and there is very little information about him, allegedly copied the code of another smaller rug pull project called Bee Token to create SafeMoon.
In analyzing SafeMoon’s wallets and blockchain activity, the researcher found that founder Kyle had been slowly rug-pulling funds since the start. He said at the time:
“The total amount of SafeMoon that came into Kyle’s wallet was 164 trillion tokens. Fast forward to mid-September to mid-December, this grossed him just under $10.3 million.”
After Kyle stepped aside, Lead Dev Thomas “Papa” Smith took over as the project’s leader.
However, Coffeezilla revealed in his investigation that Smith also took $143 million of the project’s liquidity pool across 18 transactions.