Safemoon LP Drained of $9M in Smart Contract Attack

Liquidity pool (LP) Safemoon lost $8.9 million worth of tokens on March 29 after hackers were able to manipulate a faulty smart contract feature, CoinDesk reported. According to blockchain data, a number of tokens were swapped early Wednesday morning in a single transaction. The hackers stole a huge volume of Safemoon’s native SFM tokens.

SFM-BNB pair was compromised

Safemoon’s tokens lost more than 40% immediately after the attack, then made a slight recovery. Pool developers tweeted that the liquidity pair SFM:BNB had been compromised. They added they were taking rapid action to try and solve the problem as soon as possible.

Soon thereafter, Safemoon CEO John Karony tweeted that the attack only involved one LP on BNB Chain:

I want to make clear that our DEX is safe. We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit.

What is a liquidity pool?

A liquidity pool is a collection of crypto assets locked in a smart contract. These pools enable decentralized lending, borrowing, and trading directly between users without needing to use intermediaries.

Safemoon was one of the biggest winners in 2021’s spectacular crypto bull market. This is partly thanks to the DeFi token’s four features, which can be observed during each trade: LP acquisition, fee reflection, fund growth, and token burn.

Faulty burn feature

However, it was precisely the last feature that turned out to be faulty according to experts. Dappd CEO DeFi Mark tweeted:

The attacker took advantage of the public burn function, which lets any user burn tokens from any other address.

He added that the hacker or hackers had manipulated this function to move SFM tokens out of the Safemoon-WBNB LP, which resulted in an artificial increase of SFM’s price. In his opinion, many smart contracts have suffered this exploit despite it being “extremely elementary.”