What happens when a hacker gets front run?
Just three hours after SafeMoon upgraded its smart contracts, an exploiter identified and leveraged a bug in the code that led to the loss of roughly $8.9 million from the memecoin’s liquidity pool.
In a unique turn of events, however, the exploiter that initially leveraged the vulnerability was then quickly front run by another address.
The front runner then sent a message to SafeMoon’s deployer contract to open negotiations: "Hey relax, we are accidentally front run an attack against you, we would like to return the fund, setup secure communication channel, let's talk."
The front runner now holds closer to $8.66 million in a separate wallet.
Front running is when a crypto address identifies a pending lucrative trade or transaction on the blockchain, such as this exploit, and then pays a very high gas fee to get the same trade or transaction executed before the original.
The front runner later wrote in a transaction to SafeMoon, "Let's discuss the detail, please send a message from same address containing your email address, and contact us by email: [REDACTED]."
In a statement, the SafeMoon team shared with Decrypt that the team has "continued to work with partners to swiftly rectify the situation and to gain a complete understanding of the exploit," adding that it "will be reintroducing liquidity to our LP as soon as is practical, but some account features may be limited during this period."
Unpacking the SafeMoon bug
Though it would appear the front runner wants to return the funds to the SafeMoon team, the real concern is how the exploit managed to find its way into the smart contract.
"A public burn bug means the hacker can call the function to burn the liquidity in the pool and then swap for the remaining WBNB," a spokesperson from PeckShield told Decrypt via Telegram. WBNB is a wrapped version of Binance’s native exchange token BNB, which makes it easier to interact with native BNB Chain applications.
“The hacker basically buys SFM [SafeMoon] at the beginning, next exploits the public mint bug to increase the SFM price, and then sells SFM with the profit >$8.9m," the spokesperson said.
"It is a trivial bug, really nothing fancy. [...] And it should not be present in the upgrade at all." the PeckShield spokesperson said, "[it is] likely this upgrade is not audited."
One Twitter user claimed they were able to identify the exploit after two minutes of reviewing SafeMoon's smart contract.
#Safemoon was just hacked for $8.9M.
After two minutes looking at the newest Safemoon contract, I was able to identify the extremely obvious exploit.
The attacker took advantage of the public burn() function, this function let any user burn tokens from ANY other address (code… pic.twitter.com/bovlyVoq1i
— DeFi Mark (@MoonMark_) March 28, 2023
"The specific bug’s root cause was the lack of proper access control to a function which should be for privileged usage only." Gonçalo Magalhães, smart contract engineer at Immunefi told Decrypt. "This is a common security vulnerability which is usually caught at the auditing phase of a smart contract."
This means that people who had their tokens in a liquidity pool (WBNB-SFM) were at risk of losing their tokens. One Twitter user claims they lost 4 million SFM, or roughly $800 at press time.
4m #SafeMoon have been liquidated from my wallet and sent to the Deployer.
— 🌑 DANOLOGY 🌑 (@Danology10) March 28, 2023
As for the SafeMoon team, its CEO John Karony said that they hired a chain forensics consultant who located the issue and has reportedly resolved it.
In a statement shared with Decrypt, the CEO added that the SafeMoon team is conducting a "thorough investigation" and "will bounce back stronger."
Editor's note: This article was updated on March 29, 2023, at 12 pm ET to reflect that the bug in question was a public burn bug rather than a public mint bug.