Zellic Blog
Hacks

SafeMoon Exploit Explained

The SafeMoon liquidity pool exploit explained in simple terms.

William Bowling (@wcbowling)
3/29/2023

Earlier this morning, SafeMoon's Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn. After looking at the transaction trace and the recent contract changes, we can tell you what happened:

Overview

In https://bscscan.com/tx/0xcb8573807b1db40215840f690eeba6af6ec8fcc5a98eb5d545d40f7f775b0d1b the SafeMoon token was updated to include 4 new functions:

function setBridgeBurnAddress(address _burn) public onlyOwner {
	bridgeBurnAddress = _burn;
}

function setWhitelistBurn(address _wl) public onlyOwner {
	whitelistMint[_wl] = true;
}

function mint(address user, uint256 amount) public onlyWhitelistMint {
	_tokenTransfer(bridgeBurnAddress, user, amount, 0, false);
}

function burn(uint256 amount) public {
	_tokenTransfer(msg.sender, bridgeBurnAddress, amount, @, false);
}

It was then updated again in https://bscscan.com/tx/0x3307500ebaf50fb72c82a62829c8a0b20d8a076e9beae1ff97d87ba32843e219 to allow burning tokens from anyone instead of the sender.

It was then updated once more in https://bscscan.com/tx/0x71273e731752457892f73d2ad8b89060bd4f0bf131ed403d5dfc149319c1c01d to invert the onlyWhitelistMint modifier.

The Result

So for over a day it was possible for anyone to call the mint function and transfer an arbitrary amount of tokens from the bridge burn address (which was the SafeMoon deployer).

Once the mint function was fixed, that just left the public burn function which was later exploited:

The attack was fairly trivial:

  1. Flashloan 1000 WBNB
  2. Swap 1000 WBNB for SFM
  3. Burn almost all of the SFM from the Uniswap pair
  4. Burn all the tokens from Safemoon contract (to ensure it does not call collectBNB)
  5. Call sync on the Uniswap pair to update the reservers
  6. Swap the SFM for back to WBNB at a hugely inflated rate
  7. Repay the flashloan

Conclusion

Luckily it seems that the exploit was front-run by someone willing to return the funds: https://bscscan.com/tx/0xf98a8b7e3ffee676f06f0c037141483ec2c9cf8753a57fbcdbd718590e4d77ff

See the full POC over at https://github.com/Zellic/poc-hacks/blob/main/SafeMoon/test/Safemoon.t.sol

About Us

Zellic is a smart contract auditing firm founded by hackers, for hackers. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants. Whether you’re developing or deploying smart contracts, Zellic’s experienced team can prevent you from being hacked.

Contact us for an audit that’s better than the rest. Real audits, not rubber stamps.

If you think you’d be a good fit to work at Zellic, we’re hiring!

Share this post on Twitter

Table of ContentS

More to discover

October 7, 2022

Binance Bridge Hack in Layman's Terms

The Binance Bridge Hack explained in simple terms

Right Arrow
March 14, 2023

Euler Finance Exploit Analysis

How a single exploit transaction generated 110 million USD

Right Arrow
November 15, 2022

You Could Have Found the Nomad Hack

Tracking unaudited code can reveal latent, deadly bugs, including the one used to hack Nomad

Right Arrow
August 9, 2022

TradFi, Meet DeFi: Breaking Down the Economics of DeFi Hacks

A framework for DeFi developers and auditors to identify deadly economic flaws

Right Arrow
More from Zellic

Other tags

ZK
Cosmos
News
Hacks
Auditing
DeFi
Solana
Move
Ethereum
Zellic logo
Blog
Reports
Careers
Contact