Analysts warn of SafeMoon DeFi bugs enabling $20m asset drain

HashEx researchers, during a security audit, выявили 12 vulnerabilities in the SafeMoon DeFi project’s smart contracts. The bugs detected could allow assets worth $20 million to be withdrawn and block transactions, analysts noted.

SafeMoon runs on Binance Smart Chain. For every transfer, the project charges a 10% fee, half of which is then distributed among token holders. One of SafeMoon’s main ideas is to incentivise users to hold the asset and dampen its volatility.

The project plans to issue a quadrillion tokens. Currently, according to CoinGecko, more than 583 trillion coins are in circulation. Since SafeMoon’s launch in March, its market capitalisation has surpassed $2 billion, and the number of investors has reached 2 million.

HashEx warned of potential risks for investors. Among the bugs identified by the researchers, two are critical and three pose a high risk.

According to the analysts, the SafeMoon smart contract is controlled by an external address whose balance stores liquidity pool tokens worth $20 million.

Earlier, Certik specialists spoke about this. In their audit, the experts identified 13 distinct bugs, but there was no discussion of critical vulnerabilities at the time. SafeMoon has not fixed any of the discovered bugs.

If the smart contract owner’s address is compromised, there is at any moment a risk of the so-called rug pull, HashEx researchers say. The term denotes the practice of inflating the value of a token in the liquidity pool with a subsequent sharp withdrawal of funds. Subsequently, other pool participants are left with devalued assets.

SafeMoon said they are aware of the problem, but the team has ‘internal rules and procedures governing the contract’s operation to mitigate risks’.

HashEx also found that some of the vulnerabilities could leave certain users without rewards or distribute them to a specific wallet.

HashEx specialists note that attackers could exploit several bugs at once, creating a ‘chain perfectly suited for an attack’.

In SafeMoon’s response to the HashEx audit, the project said that solving many of the identified problems would require a hard fork.

Beyond the vulnerabilities, some users have other questions about the project. For example, it is often accused of running a Ponzi scheme.

Barstool Sports founder Dave Portnoy, who invested in SafeMoon, said that ‘this could be a Ponzi scheme.’ He also stressed that ‘nobody has any idea how this works’.

My shitcoin announcement. Invest at your own risk. I have no idea how this works pic.twitter.com/G1iW8iZTWG

— Dave Portnoy (@stoolpresidente) May 17, 2021

Popular cryptocurrency blogger Lark Davis compared SafeMoon to the controversial Bitconnect project.

Bitconnect was for a brief moment a top 10 #crypto, the people making money did not want to accept it was a ponzi, they made every excuse to justify it, and attacked anyone who stated the obvious.

Then it rug pulled and everyone lost big time. #safemoon is no different.

— Lark Davis (@TheCryptoLark) April 21, 2021

«То, что вы зарабатываете деньги на [схеме] Понци, не меняет того факта, что это Понци», — написал он.

Despite the criticism, SafeMoon’s developers plan to develop the project further. According to the roadmap for the year, the company intends to release a SafeMoon app and wallet, launch its own exchange, expand the team, and open offices in the United Kingdom or Ireland.

Security is of paramount importance for DeFi projects, which are often targeted by hacks.

As reported in May, DeFi protocols Spartan, Rari Capital, xToken, bEarn Fi and PancakeBunny were affected by attacks.

Read ForkLog’s bitcoin-news in our Telegram — cryptocurrency news, prices and analysis.