The liquidity pool (LP) of SafeMoon, a decentralized finance (DeFi) project, was compromised on Tuesday due to a public token bug which allowed the attacker to drain wrapped BNB (WBNB) from the protocol. SafeMoon acknowledged the attack on Twitter and assured its community that they were working to resolve the issue. The amount stolen from the project was over $8.9 million.
Details of the Incident
To the @SAFEMOON community: We want to inform you that our LP has been compromised.
We are taking swift action in an attempt to resolve the issue as soon as possible. Follow here for updates.
Thank you for your support as we work to address this situation.
— SafeMoon (@safemoon) March 28, 2023
PeckShield, a blockchain security company, revealed that the bug was introduced during the project’s last contract upgrade, likely due to the leakage of the admin key. According to DeFi Mark, the attacker exploited the public burn function to remove SafeMoon’s native token, SFM from the project’s WBNB liquidity pool. The attacker then sold overpriced SFM tokens into the same liquidity pool, causing an artificial spike in the price of SFM and wiping out the remaining WBNB. DeFi Mark explained that the exploit was an extremely obvious one, which could have been averted by not allowing users to burn tokens from any address.
Hack or Intentional?
Some spectators argued that the bug was an intentional feature left in SafeMoon’s contract to enable the company to siphon off users’ funds. This controversy has fueled ugly comments about the incident. SafeMoon is currently facing a lawsuit accusing it of misleading investors about the tokenomics of SFM. According to the lawsuit, SafeMoon’s executives slowly rug-pulled investors after the project’s rally in price and trading volume following its launch.