On the morning of March 29th, 2023, SafeMoon’s Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn. After looking at the transaction trace and the recent contract changes, we can tell you what happened:
Overview
In BSC transaction 0xcb8573807b1db40215840f690eeba6af6ec8fcc5a98eb5d545d40f7f775b0d1b↗ , the SafeMoon token was updated to include 4 new functions:
function setBridgeBurnAddress(address _burn) public onlyOwner {
bridgeBurnAddress = _burn;
}
function setWhitelistBurn(address _wl) public onlyOwner {
whitelistMint[_wl] = true;
}
function mint(address user, uint256 amount) public onlyWhitelistMint {
_tokenTransfer(bridgeBurnAddress, user, amount, 0, false);
}
function burn(uint256 amount) public {
_tokenTransfer(msg.sender, bridgeBurnAddress, amount, @, false);
}
It was then updated again in transaction 0x3307500ebaf50fb72c82a62829c8a0b20d8a076e9beae1ff97d87ba32843e219↗ to allow burning tokens from anyone instead of the sender.
It was then updated once more in transaction 0x71273e731752457892f73d2ad8b89060bd4f0bf131ed403d5dfc149319c1c01d↗ to invert the onlyWhitelistMint modifier.
The Result
So for over a day it was possible for anyone to call the mint function and transfer an arbitrary amount of tokens from the bridge burn address (which was the SafeMoon deployer).
Once the mint function was fixed, that just left the public burn function which was later exploited:
The attack was fairly trivial:
- Flashloan 1000 WBNB
- Swap 1000 WBNB for SFM
- Burn almost all of the SFM from the Uniswap pair
- Burn all the tokens from Safemoon contract (to ensure it does not call collectBNB)
- Call sync on the Uniswap pair to update the reservers
- Swap the SFM for back to WBNB at a hugely inflated rate
- Repay the flashloan
Conclusion
Luckily it seems that the exploit was front-run by someone willing to return the funds: Transaction 0xf98a8b7e3ffee676f06f0c037141483ec2c9cf8753a57fbcdbd718590e4d77ff↗
See the full POC over at github/Zellic/poc-hacks/SafeMoon/test/Safemoon.t.sol↗
About Us
Zellic specializes in securing emerging technologies. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants.
Developers, founders, and investors trust our security assessments to ship quickly, confidently, and without critical vulnerabilities. With our background in real-world offensive security research, we find what others miss.
Contact us↗ for an audit that’s better than the rest. Real audits, not rubber stamps.