As a result of the contract’s publicly available token burn function, attackers were able to manipulate the protocol, according to some sources.
Wednesday, approximately $9 million worth of tokens were drained from the Safemoon token liquidity pool (LP) after attackers exploited a flaw in its smart contracts. In the early hours of Wednesday, many tokens were traded in a single transaction, with the attacker successfully taking billions of Safemoon’s SFM tokens locked on an LP.
A liquidity pool is a smart contract-encrypted group of tokens. Without third parties, liquidity pools facilitate decentralized transactions, lending, and borrowing. Prior to a minor recovery at the time of writing, Safemoon’s SFM tokens had dropped by almost 40 per cent in the early Asian hours.
Safemoon is a decentralized finance (DeFi) token with four functions that occur throughout each trade: fee reflection, LP acquisition, token burn, and growth fund – all of which contribute to safemoon’s position as one of the top gainers in the 2021 bull market.
The developers of Safemoon announced on Wednesday that their liquidity pair (LP) has been compromised. “We regret to notify you that the integrity of our LP has been compromised. Developers wrote, “We are taking swift action to rectify the issue as soon as possible.”
John Karony, the chief executive officer of Safemoon, stated in a subsequent tweet that the vulnerability affected a single LP on BNB Chain.
“I want to clarify that our DEX is safe. This ultimately impacted the SFM: BNB LP pool,” stated Karony. “We have found the suspected exploit, fixed the vulnerability, and are currently working with a chain forensics expert to determine the exact nature and scope of the exploit.”
To our valued community,
As you may be aware, on Tuesday 28 March, SafeMoon’s Liquidity Pool was compromised. We have taken swift action to resolve the situation and protect our community. I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool.…
— John Karony (@CptHodl) March 29, 2023
Other developers attributed the issue to a flawed burn mechanism on Safemoon’s smart contracts.
“The attacker exploited the public burn function, which allowed ANY user to burn tokens from ANY other address (code attached),” tweeted Dappd CEO DeFi Mark.
“The attacker exploited this approach to steal SFM tokens from the Safemoon-WBNB Liquidity Pool, artificially inflating the price of SFM,” DeFi Mark explained, adding that this was a “quite elementary exploit” to which “many contracts in the space have fallen victim.”