Yahoo Finance Safemoon LP Exploited for $8.9M; SFM Tokens Remain ‘Safe,' CEO Says
Join the most important conversation in crypto and web3! Secure your seat today
The Safemoon token liquidity pool (LP) was drained of nearly $9 million worth of tokens on Wednesday after attackers manipulated a faulty feature on its smart contracts.
Blockchain data shows several tokens were exchanged in the wee hours on Wednesday in a single transaction, with the attacker ultimately stealing billions of Safemoon’s SFM tokens locked on an LP.
A liquidity pool is a basket of tokens locked in a smart contract. Liquidity pools are used to facilitate decentralized trading, lending, and borrowing between users without relying on third parties.
Safemoon’s SFM tokens fell over 40% in early Asian hours before slightly recovering at writing time.
Safemoon is a decentralized finance (DeFi) token that has four functions that take place during each trade: fee reflection, LP acquisition, token burn and growth fund – with these factors contributing to making safemoon one of the biggest gainers in the 2021 bull market.
Safemoon developers said Wednesday their liquidity pool had been compromised. “We want to inform you that our LP has been compromised. We are taking swift action in an attempt to resolve the issue as soon as possible,” developers tweeted.
Safemoon CEO John Karony said in a followup tweet the exploit was related to a single LP on BNB Chain.
“I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool,” Karony said. “We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit.”
To our valued community,
As you may be aware, on Tuesday 28 March, SafeMoon’s Liquidity Pool was compromised. We have taken swift action to resolve the situation and protect our community. I want to make clear that our DEX is safe. This ultimately affected the SFM:BNB LP pool.…— John Karony (@CptHodl) March 29, 2023
Some developers pointed to a faulty burn feature on Safemoon’s smart contracts as a key reason behind the exploit.
“The attacker took advantage of the public burn function, this function let any user burn tokens from ANY other address (code attached),” Dappd CEO DeFi Mark posted on Twitter.
“The attacker used this function to remove SFM tokens from the Safemoon-WBNB Liquidity Pool, artificially raising the price of SFM,” DeFi Mark noted, adding this was an “extremely elementary exploit that many contracts in the space have been falling victim to.”
