Hacker Exploits SafeMoon ‘Burn’ Bug, Steals $8.9 Million From Liquidity Pool

An unknown threat actor abused a newly created ”burn” function in SafeMoon’s smart contract, draining roughly $8.9 million from the token’s liquidity pool.

The flawed smart contract feature, designed to let users burn tokens, artificially pumped the token’s price, allowing it to be sold at an exaggerated value.

SafeMoon confirmed the incident, saying on Twitter that it’s taking steps to remediate the issue. John Karony, the company’s CEO, provided some insight into the specifics of the incident in a separate follow-up announcement, claiming that the “DEX is safe” and that the incident “ultimately affected the SFM:BNB LP pool.”

“We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit,” Karony’s announcement continues. “Users should be assured that their tokens remain safe. I want to assure you that the other LP pools on the DEX have not been affected, and nor have any of our upcoming upgrades and releases.”

According to an analysis by blockchain security company PeckShield, the incident stemmed from a recent update to the SafeMoon contract that added a ”burn” function. The feature was incorrectly implemented, allowing unrestricted access to the public, PeckShield said. In other words, anyone could execute the burn function without restriction.

The perpetrator exploited the feature’s lack of restrictions to burn a large chunk of SafeMoon tokens, significantly driving their price up. Shortly after the spike, another wallet sold tokens worth $8.9 million.

Interestingly, researchers noticed a comment from the second address appended to a transaction, claiming they were not the initial hacker. The comment seems like an attempt to establish a communication channel between the parties:

“Hey relax, we are accidently frontrun an attack against you, we would like to return the fund, setup secure communication channel , lets talk,” reads the message.

Additionally, the wallet owner has since transferred 4,000 Binance Coins (BNB) worth $1,261,972.52 at the time of writing. Although this may seem like a gesture of goodwill, researchers met the transfer with a raised eyebrow, doubting the legitimacy of the second wallet owner’s claims not to be involved with the initial exploiter.