DeFiDeFi hackers hit BNB Chain-based meme coin launchpad Four.Meme Tuesday morning, forcing the suspension of its token liquidity pool on PancakeSwap.
The attack was initially flagged by blockchain security firm SlowMist, which revealed the Four.Meme exploit was carried out using a vulnerability in the platform’s smart contract.
🚨SlowMist Security Alert🚨
The attacker purchased a small amount of tokens before launch through the 0x7f79f6df function of @four_meme_, and used this feature to send tokens to a specified PancakeSwap Pair address that had not yet been created.
The attacker exploited a critical flaw in Four.Meme’s liquidity mechanism that enabled them to “bypass transfer restrictions and manipulate liquidity pool pricing,” smart contractsmart contract audit firm QuillAudits told Decrypt.
This marks the second time in the last two months that Four.Meme has experienced an attack, which previously saw $183,000 stolen due to a different vulnerability that allowed a bad actor to manipulate liquidity on PancakeSwap.
How the exploit worked
On this occasion, the attacker first acquired a small amount of Four.Meme tokens before the official launch using the “0x7f79f6df” function.
“Instead of holding or transferring them traditionally, they sent the tokens to a non-existent PancakeSwap Pair address,” QuillAudits' report said.
Like many decentralized exchangesdecentralized exchanges, PancakeSwap, which recently saw a surge in popularity, needs a special address (called a pair address) to match up the two tokens in a trading pair (for example, Four.Meme tokens and BNB).
PancakeSwap, a decentralized exchange on Binance Smart Chain, has the largest trading volume over the past 24 hours—beating even Ethereum-based competitor Uniswap.
And according to CoinGecko, all that volume has sent the price of its CAKE token surging as much as 40% in the past day. This comes after Binance delisted Tether from its centralized exchange, prompting an increase in Tether volume on PancakeSwap, and an unrelated surge of interest in meme coins on Binance Smart Chain.
CAKE is up 37%...
Normally, this address is created when the tokens are launched and traded.
In this case, the attacker sent the tokens to an address that didn't exist yet—meaning the pair for the Four.Meme token on PancakeSwap hadn't been created.
Since the pair address didn’t yet exist, the attacker was able to create it themselves. By doing so, the attacker was able to add liquidity (tokens for trading) at an incorrect price, which let them manipulate the system and steal funds from the liquidity pool.
The hacker withdrew 69 BNB from a FixedFloat hot wallet “0x47…c95,” three days before the attack. They deployed multiple contracts to facilitate the attack.
The attacker then sent the stolen 67.3 BNB to one wallet address, “0x4c…805,” and 205 BNB to another, “0x88…456,” the report noted. The 205 BNB was then split and moved across four wallets.
Following the attack on the meme coin platform, the stolen funds of over $174k were moved across several wallets to obfuscate the trail.
The hacker then laundered the stolen funds through PancakeSwap’s $BROCCOLLI 3 contract, QuillAudits said.
A total of 192 WBNB was swapped and distributed across several PancakeSwap contracts, including PancakeSwap DCA 32 (0x77C1dF8...), PancakeSwap MuBrocolli (0xcaC54d89...), and others.
Four.Meme’s response
In response to the breach, Four.Meme halted the launch function and issued an emergency statement.
“We will compensate affected users and provide a damage submission form to collect relevant information,” the platform tweeted on Tuesday.
Currently, https://t.co/IRnIR1BwDd is under attack, and the launch function has been suspended for emergency investigation.
We will compensate affected users and provide a damage submission form to collect relevant information.
A few hours later, Four.Meme announced that operations had resumed after the platform had conducted security checks, asking affected users to file their claims.
Four.Meme's platform has seen a significant increase in activity since its creation, with a total of 74,607 unique tokens being launched on the platform, per data from Dune Analytics.
While the platform has taken steps to prevent future incidents, both attacks point to the ongoing risks facing decentralized platforms, especially those handling large amounts of liquidity in meme coin markets.
Last month, zkLend, a decentralized money lending platform on the Starknet blockchain, fell victim to a major attack, losing $9.5 million in crypto assets.
zkLend later offered the hacker a 10% bounty (around 3,300 ETH, worth approximately $8.78 million) in exchange for the return of the stolen funds.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Digital assets may be firmly in the mainstream, with institutional involvement and a crypto-friendly president in the White House.
But hackers and fraudsters are having a field day so far this year.
Crypto users have lost over $1.7 billion to these groups—already 14% more than 2024’s total losses of $1.49 billion, according to blockchain security firm Immunefi.
In the same period last year, losses totaled $420 million, the firm said.
The report comes amid ongoing concerns about the vulnerabil...
Libre, a regulated real-world asset platform, and the TON Foundation have launched a $500 million tokenized fund on The Open Network, aiming to bring Telegram’s $2.4 billion in corporate debt onto the blockchain for the first time.
Dubbed the Telegram Bond Fund, the product allows institutional and accredited investors to gain exposure to Telegram’s outstanding bonds directly through the TON blockchain, according to a statement shared with Decrypt.
The fund will also participate in future Telegr...
Solana decentralized exchange Raydium has deployed its native token launchpad, which is designed to rival the popular Pump.fun. This comes almost a month after Pump.fun deployed its own decentralized exchange, cutting ties with Raydium in the process.
LaunchLab by Raydium offers a more sophisticated token creation process, compared to Pump.fun’s simplistic approach. The new launchpad allows for deployers to toy with the token supply, how many tokens will be sold on the bonding curve, and how muc...