What happens when a hacker gets front run?
Just three hours after SafeMoon upgraded its smart contracts, an exploiter identified and leveraged a bug in the code that led to the loss of roughly $8.9 million from the memecoin’s liquidity pool.
In a unique turn of events, however, the exploiter that initially leveraged the vulnerability was then quickly front run by another address.
The front runner then sent a message to SafeMoon’s deployer contract to open negotiations: “Hey relax, we are accidentally front run an attack against you, we would like to return the fund, setup secure communication channel, let’s talk.”
The front runner now holds closer to $8.66 million in a separate wallet.
Front running is when a crypto address identifies a pending lucrative trade or transaction on the blockchain, such as this exploit, and then pays a very high gas fee to get the same trade or transaction executed before the original.
The front runner later wrote in a transaction to SafeMoon, “Let’s discuss the detail, please send a message from same address containing your email address, and contact us by email: [REDACTED].”
SafeMoon did not immediately respond to Decrypt’s request for comment.
Unpacking the SafeMoon bug
Though it would appear the front runner wants to return the funds to the SafeMoon team, the real concern is how the exploit managed to find its way into the smart contract.
“A public mint bug means the hacker can call the function to burn the liquidity in the pool and then swap for the remaining WBNB,” a spokesperson from PeckShield told Decrypt via Telegram. WBNB is a wrapped version of Binance’s native exchange token BNB, which makes it easier to interact with native BNB Chain applications.
“The hacker basically buys SFM [SafeMoon] at the beginning, next exploits the public mint bug to increase the SFM price, and then sells SFM with the profit >$8.9m,” the spokesperson said.
“It is a trivial bug, really nothing fancy. […] And it should not be present in the upgrade at all.” the PeckShield spokesperson said, “[it is] likely this upgrade is not audited.”
One Twitter user claimed they were able to identify the exploit after two minutes of reviewing SafeMoon’s smart contract.
#Safemoon was just hacked for $8.9M.
After two minutes looking at the newest Safemoon contract, I was able to identify the extremely obvious exploit.
The attacker took advantage of the public burn() function, this function let any user burn tokens from ANY other address (code… pic.twitter.com/bovlyVoq1i
— DeFi Mark (@MoonMark_) March 28, 2023
“The specific bug’s root cause was the lack of proper access control to a function which should be for privileged usage only.” Gonçalo Magalhães, smart contract engineer at Immunefi told Decrypt. “This is a common security vulnerability which is usually caught at the auditing phase of a smart contract.”
This means that people who had their tokens in a liquidity pool (WBNB-SFM) were at risk of losing their tokens. One Twitter user claims they lost 4 million SFM, or roughly $800 at press time.
4m #SafeMoon have been liquidated from my wallet and sent to the Deployer.
— 🌑 DANOLOGY 🌑 (@Danology10) March 28, 2023
As for the SafeMoon team, its CEO John Karony said that they hired a chain forensics consultant who located the issue and has reportedly resolved it.
“Users should be assured that their tokens remain safe. Because we have flexibility in our tech, we have faith that we will be able to bring this matter to resolution,” he said.
#Safemoon was just hacked for $8.9M.
After two minutes looking at the newest Safemoon contract, I was able to identify the extremely obvious exploit.
The attacker took advantage of the public burn() function, this function let any user burn tokens from ANY other address (code… pic.twitter.com/bovlyVoq1i
— DeFi Mark (@MoonMark_) March 28, 2023
Stay on top of crypto news, get daily updates in your inbox.
Source: https://decrypt.co/124826/meme-coin-project-safemoon-rekt-for-9m-due-public-mint-bug