SafeMoon’s token cash pool lost $8.9 million after a hacker exploited a new “burn” smart contract feature that artificially inflated the price, allowing players to sell SafeMoon at a much higher price. higher.

Liquidity pools in DeFi platforms are large repositories of funds (cryptocurrency) that facilitate trading, provide liquidity to the market, and generally allow exchanges to operate without borrowing from a third party.

SafeMoon confirmed the security incident today on Twitter and said it is currently working to resolve the issue.

SafeMoon CEO John Karony said the attack happened on Tuesday, March 28, affecting the SFM:BNB liquidity pool but not the platform’s exchange.

“We have located the suspected exploit, remediated the vulnerability, and engaged a chain forensics consultant to determine the precise nature and extent of the exploit,” read Karony’s statement.

“Users need to be assured that their tokens remain safe. I want to assure you that other LP pools on the DEX have not been affected, nor any of our upcoming updates and releases.”

Exploit the details

Blockchain security experts PeckShield have shared more details about the vulnerability exploited by the hacker to carry out the $9 million heist against SafeMoon.

According PeckShield, a recent update introduced a new SafeMoon smart contract feature that burns tokens. Unfortunately, the function was mistakenly set to public with no restrictions, allowing anyone to run it however they wanted.

Karony has previously said that this system would only be used in emergencies, such as when the liquidity pool faces risks from malicious smart contracts, excessive slippage and other transient losses.

The hacker used the feature to burn large amounts of SafeMoon tokens, which drove up the price of the token.

As soon as the price rose, another address sold SafeMoon at the manipulated price, draining $8.9 million from the SafeMoon:WBNB liquidity pool.

Hours after the attack, the actor who converted the SafeMoon to BNB claimed he was not the original hacker but “accidentally front-run” after the price was artificially inflated due to the use of the burn() function.

Although it is not clear if the owner of this wallet is the same person who exploited the bug, they are offering to return stolen funds at SafeMoon.

“Hey relax, we accidentally launched an attack on you, we’d like to return the funds to you, set up a secure communication channel, let’s talk about it,” a comment added to the transaction read.

Since then, the person has transferred 4,000 Binance Coins (BNB), worth $1,264,440.00, to another address, making the frontrun less accidental.