Safemoon liquidity pair compromised in $8.9 million hack

Quick Take

  • A bug allowed an exploiter to burn a majority of SFM tokens in the Safemoon liquidity pool, artificially raising the token’s price so the contract’s WBNB could be drained in one transaction, on-chain records show.
  • Almost $8.9 million in total was lost to the hacker.

The BNB chain-based exchange Safemoon was compromised earlier today, according to on-chain records, resulting in close to $9 million being drained from its liquidity pool.

“To the @SAFEMOON  community: We want to inform you that our LP has been compromised,” the BNB-based exchange wrote on Twitter, adding that it was taking swift action to resolve the issue. Almost $8.9 million in assets were transferred out of the liquidity pool, according to BscScan.

A recent update may have introduced a “public burn bug” that facilitated the hack, security firm Peckshield said.

The hacker was able to artificially raise the price of SFM tokens using a code function, and then sold enough tokens back to the liquidity pool in the same transaction to effectively drain the WBNB from the contract, Peckshield confirmed.
“By exploiting the public mint bug, the actor can burn most SFM token in the pair, which increases the SFM price,” Peckshield told The Block, adding, “With that, the actor basically buys SFM at the beginning, next exploits the public mint bug to increase the SFM price, and then sells SFM with the profit [greater than ] $8.9 million.”

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.