DeFi protocol SafeMoon has lost several millions of dollars-worth of crypto after a faulty smart contract upgrade.
In a March 28 tweet, SafeMoon alerted users to the fact that one of its liquidity pools had been compromised. Data from blockchain explorer BscScan shows that an attacker drained several crypto tokens, valued at around $9 million, from the liquidity pool.
SafeMoon CEO Johny Karony assured users that the vulnerability was limited to the project’s SFM:BNB liquidity pool, and its decentralized exchange (DEX) had not been impacted by the event.
Launched in March 2021, SafeMoon is a DeFi project built on the BNB Chain with four main token functions: fee reflection, LP acquisition, token burn and growth fund. SafeMoon’s tokenomics, which involves a 10% tax on every transaction, and a fairly large community following is why some users regard it to be “memecoin” project.
The recent exploit was on account of a bug that was introduced in a software upgrade, which allowed an attacker to take advantage of the public burn function. The attacker was able to remove SafeMoon’s native token SFM from the Wrapped BNB liquidity pool, which artificially raised the price of the token.
Blockchain developer “MoonMark” described the event as an “extremely elementary exploit” that many contracts in the space have fallen victim to recently.
However, in an unexpected twist – something that is not entirely uncommon in crypto – the attacker of the contract appears to have been front-run by another user.
An upgrade on @safemoon contract introduced a burn vulnerability.
This upgrade was not within the scope of our audit.
Original attacker was front-run by EOA 0x286 who has reached out to the @safemoon deployer to return the ~$8m.
Stay vigilant! pic.twitter.com/F41vNL6kpK
— CertiK Alert (@CertiKAlert) March 29, 2023
Blockchain security firm CertiK highlighted a transaction from the person who intercepted the hacker to the SafeMoon team, embedded with a message expressing their intent to return these funds.
“Let’s discuss the detail, please send a message from same address containing your email address, and contact us by email,” wrote the front runner in a follow-up blockchain message to SafeMoon.