Skip to main content
Table of contents
William Bowling

SafeMoon Exploit Explained

The SafeMoon liquidity pool exploit explained in simple terms
Article heading

On the morning of March 29th, 2023, SafeMoon’s Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn. After looking at the transaction trace and the recent contract changes, we can tell you what happened:


In BSC transaction 0xcb8573807b1db40215840f690eeba6af6ec8fcc5a98eb5d545d40f7f775b0d1b , the SafeMoon token was updated to include 4 new functions:

function setBridgeBurnAddress(address _burn) public onlyOwner {
bridgeBurnAddress = _burn;

function setWhitelistBurn(address _wl) public onlyOwner {
whitelistMint[_wl] = true;

function mint(address user, uint256 amount) public onlyWhitelistMint {
_tokenTransfer(bridgeBurnAddress, user, amount, 0, false);

function burn(uint256 amount) public {
_tokenTransfer(msg.sender, bridgeBurnAddress, amount, @, false);

It was then updated again in transaction 0x3307500ebaf50fb72c82a62829c8a0b20d8a076e9beae1ff97d87ba32843e219 to allow burning tokens from anyone instead of the sender.

It was then updated once more in transaction 0x71273e731752457892f73d2ad8b89060bd4f0bf131ed403d5dfc149319c1c01d to invert the onlyWhitelistMint modifier.

The Result

So for over a day it was possible for anyone to call the mint function and transfer an arbitrary amount of tokens from the bridge burn address (which was the SafeMoon deployer).

Once the mint function was fixed, that just left the public burn function which was later exploited:

The attack was fairly trivial:

  1. Flashloan 1000 WBNB
  2. Swap 1000 WBNB for SFM
  3. Burn almost all of the SFM from the Uniswap pair
  4. Burn all the tokens from Safemoon contract (to ensure it does not call collectBNB)
  5. Call sync on the Uniswap pair to update the reservers
  6. Swap the SFM for back to WBNB at a hugely inflated rate
  7. Repay the flashloan


Luckily it seems that the exploit was front-run by someone willing to return the funds: Transaction 0xf98a8b7e3ffee676f06f0c037141483ec2c9cf8753a57fbcdbd718590e4d77ff

See the full POC over at github/Zellic/poc-hacks/SafeMoon/test/Safemoon.t.sol

About Us

Zellic specializes in securing emerging technologies. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants.

Developers, founders, and investors trust our security assessments to ship quickly, confidently, and without critical vulnerabilities. With our background in real-world offensive security research, we find what others miss.

Contact us for an audit that’s better than the rest. Real audits, not rubber stamps.