An unknown actor compromised SafeMoon’s liquidity pool on the BNB Chain and withdrew assets worth about $9 million.
To our valued community,
As you may be aware, on Tuesday 28 March, SafeMoon’s Liquidity Pool was compromised. We have taken swift action to resolve the situation and protect our community. I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool.…
— John Karony (@CptHodl) March 29, 2023
The CEO of the platform, John Karony, said the liquidity pair involved was the SFM/BNB pair.
“We detected a suspected exploit, fixed the vulnerability and engaged an on-chain-forensics consultant to determine the exact nature and scope of the incident”, he noted.
Karony assured that the hack did not affect other pools or SafeMoon’s wallet, and that user funds are safe.
PeckShield experts suggested that the bug exploited by the hacker arose from a previous update to the burn function code. The vulnerability allowed the attacker to manipulate the price of SFM and, in a single transaction, withdraw from the contract wrapped BNB (WBNB) worth nearly $9 million, according to BscScan.
Hi @safemoon The upgrade, with the exploited public burn bug, was initiated by the official SafeMoon: Deployer. (Admin key leak?) And here comes the upgrade tx. https://t.co/ffAhm9qhgG https://t.co/KYEiYxMRII pic.twitter.com/9CQhseircP
— PeckShield Inc. (@peckshield) March 28, 2023
Several hours after the incident, an unknown actor sent a signed transaction to SafeMoon’s deployment address:
“Hey, relax, we accidentally front-ran the attack against you and would like to return the funds. Let’s set up a secure channel of communication and talk”.
The exchange team began an on-chain messaging thread. The hacker proposed continuing communication via email.
Earlier, on March 13, an unknown hacked the DeFi protocol Euler Finance and withdrew assets worth $196 million, including 85,800 ETH.
However, on March 25 he returned to the project a large portion of the stolen funds — more than 58,700 ETH. Three days later the hacker continued reimbursing the stolen assets, sending Euler Finance 23,214 ETH and $10.7 million in the stablecoin DAI.