BNB Chain-based decentralized exchange SafeMoon has been exploited, resulting in hackers siphoning off nearly $9 million worth of tokens from its liquidity pool. BscScan shows that multiple tokens were exchanged on March 28 in a single transaction, with the exploiters stealing SFM tokens locked on SafeMoon’s liquidity pool.
Public Burn Bug
Blockchain security firm Peckshield said the attackers were able to execute the hack after they exploited a public burn bug on SafeMoon’s smart contracts.
A detailed analysis from Web 3 developer DeFi Mark shows that the hackers took advantage of the public burn function, which allows users to burn tokens from any other address. He added that the exploiters used this function to remove SFM tokens from SafeMoon’s WBNB liquidity pool, thereby artificially raising the price of the token.
The exploiters then sold SFM tokens into the liquidity pool at an overpriced rate within the same transaction, wiping out the remaining WBNB in the liquidity pool. Mark described the attack as an “extremely elementary exploit” that many contracts in the industry have been falling victim to.
John Karony, the CEO of SafeMoon, confirmed the attack via a tweet on Wednesday, saying their team had identified the exploit and resolved the vulnerability.
“In the hours since, our team has met with key advisors to agree a plan that protects token holders and the community. We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit,” he tweeted.
Karony also assured users that other liquidity pools on the exchange are not impacted nor have any upcoming upgrades or releases.
Attackers to Return Stolen Funds?
A few hours after the exploit, the attackers sent an on-chain message to the exchange saying they are willing to return the stolen funds.
“Hey relax, we are accidently frontrun an attack against you, we would like to return the fund, setup secure communication channel, lets talk,” the attackers wrote.
BscScan shows that the hackers already returned 4,000 BNB worth $1.2 million to the exchange.
