Thursday, March 28, 2024
HomeSECURITYA small bug in the SafeMoon DeFi platform code allowed cybercriminals to...

A small bug in the SafeMoon DeFi platform code allowed cybercriminals to “pump out” almost $9 million worth of cryptocurrencies

-


A small bug in the SafeMoon DeFi platform code allowed cybercriminals to “pump out” almost $9 million worth of cryptocurrencies

The interesting circumstances of the attack confuse even experts.


Liquidity pool tokens safemoon lost $8.9 million after an unknown hacker took advantage of the newly added “burn” smart contract feature, which artificially inflated the price of the SFM cryptocurrency, allowing participants to sell it at a much higher profit.

Liquidity pools on platforms DeFi are large deposits of cryptocurrencies that facilitate trading, provide market liquidity, and generally allow exchanges to function without borrowing currency from third parties.

Yesterday SafeMoon confirmed incident in his Twitter and stated that she is currently working on a solution to the problem.



SafeMoon’s Twitter post

SafeMoon CEO John Caroni said the attack occurred on Tuesday, March 28 and affected liquidity pool SFM:BNB, but not the entire platform exchange. “We discovered the alleged exploit, fixed the vulnerability, and engaged a network forensics consultant to determine the exact nature and extent of the exploit. Users need to be sure that their tokens remain safe. I want to assure you that other DEX pools were not affected,” reads the statement director of SafeMoon.

Blockchain Security Experts PeckShield shared more details about the vulnerability used by the hacker to rob SafeMoon. According to PeckShield, a recent update to the SafeMoon platform introduced a new smart contract feature called “burn” that allows you to “burn” tokens. By itself “burning tokens” – a completely normal and legitimate process on crypto-plots. But in the case of SafeMoon, the feature was erroneously set to be public with no restrictions, allowing anyone on the platform to take advantage of it.

SafeMoon’s director has previously said “burning” will only be used in emergencies. For example, when the liquidity pool faces risks due to malicious smart contracts, excessive slippage and other issues. But since the attacker took advantage of it, he decided in his own interests to burn more SafeMoon tokens at once, as a result of which the price of the token rose sharply.



The value of “public” in the function “burn”

As soon as the price rose, SafeMoon’s cryptocurrency was sold from another address at a manipulated price, allowing nearly $9M to be siphoned out of SafeMoon:WBNB’s liquidity pool.

Funny enough, a few hours after the attack, the person who converted SafeMoon to BNB, stated that he did not do it with malicious intent, but “accidentally got ahead of the curve” after the price was artificially high due to the use of the “burn” function. Allegedly, someone else burned the tokens, and this person just managed to make a profitable deal.

“Hey, relax, we accidentally launched an attack against you and would like a refund. Let’s set up a secure communication channel and talk, ”says a comment added to the transaction.

At the time of writing, the cryptocurrency “thief” transferred about 4,000 Binance coins (BNB) worth $1.2 million to another address, which corrected the SMF rate for the better. If this attack really was an accident or a simple “prank”, soon all the currency “pumped out” from the SafeMoon liquidity pool will be returned back, and the incident can be forgotten.

Nevertheless, SafeMoon accurately drew an important conclusion from this situation and carefully checked if there are any other errors in the platform code that allow ordinary participants in the crypto exchange to gain access that they are not entitled to in principle. Probably, the owners of other DeFi platforms will soon carry out the same checks in order not to step on the same rake.





Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular