Decentralized finance (DeFi) project SafeMoon saw its liquidity pool (LP) compromised on Tuesday through a public token bug, with the attacker draining wrapped BNB (WBNB) from the protocol.
SafeMoon announced the attack on Twitter, disclosing it was working to resolve the issue as soon as possible. However, the platform did not share details of the incident.
Shortly after the exploit, blockchain security company PeckShield revealed that the bug was introduced during the project’s last contract upgrade, initiated by the official SafeMoon Deployer. The firm suggested that the admin key could have been leaked, hence, the initiation of the upgrade.
Web3 developer DeFi Mark further explained that the attacker took advantage of the public burn function, which allowed users to burn tokens from any address.
The function allowed the attacker to remove SFM, SafeMoon’s native token, from the project’s WBNB liquidity pool, resulting in an artificial spike in the price of SFM.
In the same transaction, the exploiter sold the overpriced SFM tokens into the same liquidity pool, wiping out the remaining WBNB. According to Mark, SafeMoon lost $8.9 million through an “extremely obvious exploit.”
“This is an extremely elementary exploit that many contracts in the [crypto] space have been falling victim to. Please do not let any user burn tokens from any address, it is a bad idea,” Mark added.
While Mark addressed the incident as a hack, several spectators argued that the bug was a feature intentionally left on SafeMoon’s contract to enable them to siphon users’ funds.
The controversy behind the SafeMoon project fueled the ugly comments about the incident.
The company is currently facing a lawsuit accusing it of misinterpreting the tokenomics of SFM to investors. As CryptoPotato reported, the plaintiffs alleged that SafeMoon’s executives slowly rug-pulled investors after the project’s rally in price and trading volume following its launch.