A publicly-available token burn function in the contract allowed attackers to manipulate the protocol, some said.
The Safemoon token liquidity pool (LP) was drained of nearly $9 million worth of tokens on Wednesday after attackers manipulated a faulty feature on its smart contracts.
Blockchain data shows several tokens were exchanged in the wee hours on Wednesday in a single transaction, with the attacker ultimately stealing billions of Safemoon’s SFM tokens locked on an LP.
A liquidity pool is a basket of tokens locked in a smart contract. Liquidity pools are used to facilitate decentralized trading, lending, and borrowing between users without relying on third parties.
Safemoon’s SFM tokens fell over 40% in early Asian hours before slightly recovering at writing time.
Safemoon is a decentralized finance (DeFi) token that has four functions that take place during each trade: fee reflection, LP acquisition, token burn and growth fund – with these factors contributing to making safemoon one of the biggest gainers in the 2021 bull market.
Safemoon developers said Wednesday their liquidity pair (LP) had been compromised. “We want to inform you that our LP has been compromised. We are taking swift action in an attempt to resolve the issue as soon as possible,” developers tweeted.
Safemoon CEO John Karony said in a follow-up tweet the exploit was related to a single LP on BNB Chain.
“I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool,” Karony said. “We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit.”
Some developers pointed to a faulty burn feature on Safemoon’s smart contracts as a key reason behind the exploit.
“The attacker took advantage of the public burn function, this function let any user burn tokens from ANY other address (code attached),” Dappd CEO DeFi Mark posted on Twitter.