How Safemoon Got Burned by a Simple Exploit
Safemoon got burned, the self-proclaimed “safest” cryptocurrency in the market, just got hacked for $8.9 million by a clever attacker who exploited a glaring vulnerability in its smart contract. The hack was so simple that it took me only two minutes to spot it. Here’s how it happened and what you can learn from it.
Turns out safemoon was neither safe nor moon pic.twitter.com/WnR8JuUXmz
— greg (@greg16676935420) March 29, 2023
The Burn Function
Safemoon’s smart contract has a public function called burn(), which allows anyone to destroy tokens from any address. This function is supposed to be used for reducing the total supply of Safemoon and increasing its scarcity. However, it also opens up a huge security hole that the hacker exploited.
#Safemoon was just hacked for $8.9M.
After two minutes looking at the newest Safemoon contract, I was able to identify the extremely obvious exploit.
The attacker took advantage of the public burn() function, this function let any user burn tokens from ANY other address (code… pic.twitter.com/bovlyVoq1i
— DeFi Mark (@MoonMark_) March 28, 2023
The burn() function takes two parameters: the address of the token holder and the amount of tokens to burn. For example, if I wanted to burn 100 Safemoon tokens from your address, I would call burn(your_address, 100). The function would then deduct 100 tokens from your balance and reduce the total supply by 100.
The Liquidity Pool
Safemoon has a liquidity pool (LP) on PancakeSwap, a decentralized exchange that allows users to swap Safemoon for WBNB (a wrapped version of Binance Coin) and vice versa. The LP consists of two tokens: Safemoon and WBNB. The ratio of these two tokens determines the price of Safemoon. For example, if there are 1 million Safemoon and 1000 WBNB in the LP, then the price of Safemoon is 0.001 WBNB.
The LP also has an address that holds the tokens in the pool. Anyone can add or remove liquidity from the pool by sending or receiving tokens from this address. However, the LP address is also vulnerable to the burn() function.
Safemoon Got Burned: The Hack
The hacker took advantage of the burn() function to remove Safemoon tokens from the LP address, artificially raising the price of Safemoon. For example, if the hacker burned 500,000 Safemoon from the LP address, then the price of Safemoon would increase to 0.002 WBNB.
The hacker then sold Safemoon into this LP at this inflated price within the same transaction, wiping out the remaining WBNB in the pool. For example, if the hacker sold 500,000 Safemoon at 0.002 WBNB each, he would receive 1000 WBNB from the pool.
The hacker repeated this process several times until he drained all the WBNB from the pool, leaving only Safemoon tokens behind. He then transferred his WBNB to another address and swapped them for other cryptocurrencies.
The Lesson
This hack is an extremely elementary exploit that many contracts in the space have been falling victim to. It shows how important it is to audit your smart contracts and avoid public functions that can be abused by malicious actors.
Please do not let any user burn tokens from any address, it is a bad idea. Unless you want to see your project go up in flames like Safemoon did.
(Safemoon Got Burned)