Zellic Blog

SafeMoon Exploit Explained

The SafeMoon liquidity pool exploit explained in simple terms.

Earlier this morning, SafeMoon's Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn. After looking at the transaction trace and the recent contract changes, we can tell you what happened:


In https://bscscan.com/tx/0xcb8573807b1db40215840f690eeba6af6ec8fcc5a98eb5d545d40f7f775b0d1b the SafeMoon token was updated to include 4 new functions:

function setBridgeBurnAddress(address _burn) public onlyOwner {
	bridgeBurnAddress = _burn;

function setWhitelistBurn(address _wl) public onlyOwner {
	whitelistMint[_wl] = true;

function mint(address user, uint256 amount) public onlyWhitelistMint {
	_tokenTransfer(bridgeBurnAddress, user, amount, 0, false);

function burn(uint256 amount) public {
	_tokenTransfer(msg.sender, bridgeBurnAddress, amount, @, false);

It was then updated again in https://bscscan.com/tx/0x3307500ebaf50fb72c82a62829c8a0b20d8a076e9beae1ff97d87ba32843e219 to allow burning tokens from anyone instead of the sender.

It was then updated once more in https://bscscan.com/tx/0x71273e731752457892f73d2ad8b89060bd4f0bf131ed403d5dfc149319c1c01d to invert the onlyWhitelistMint modifier.

The Result

So for over a day it was possible for anyone to call the mint function and transfer an arbitrary amount of tokens from the bridge burn address (which was the SafeMoon deployer).

Once the mint function was fixed, that just left the public burn function which was later exploited:

The attack was fairly trivial:

  1. Flashloan 1000 WBNB
  2. Swap 1000 WBNB for SFM
  3. Burn almost all of the SFM from the Uniswap pair
  4. Burn all the tokens from Safemoon contract (to ensure it does not call collectBNB)
  5. Call sync on the Uniswap pair to update the reservers
  6. Swap the SFM for back to WBNB at a hugely inflated rate
  7. Repay the flashloan


Luckily it seems that the exploit was front-run by someone willing to return the funds: https://bscscan.com/tx/0xf98a8b7e3ffee676f06f0c037141483ec2c9cf8753a57fbcdbd718590e4d77ff

See the full POC over at https://github.com/Zellic/poc-hacks/blob/main/SafeMoon/test/Safemoon.t.sol

About Us

Zellic is a smart contract auditing firm founded by hackers, for hackers. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants. Whether you’re developing or deploying smart contracts, Zellic’s experienced team can prevent you from being hacked.

Contact us for an audit that’s better than the rest. Real audits, not rubber stamps.

If you think you’d be a good fit to work at Zellic, we’re hiring!

Share this post on Twitter

Table of ContentS