Decentralized finance (DeFi) project SafeMoon saw its liquidity pool (LP) compromised on Tuesday through a public token bug, with the attacker draining wrapped BNB (WBNB) from the protocol.
SafeMoon announced the attack on Twitter, disclosing it was working to resolve the issue as soon as possible. However, the platform did not share details of the incident.
Over $8.9M Stolen
To the @SAFEMOON community: We want to inform you that our LP has been compromised.
We are taking swift action in an attempt to resolve the issue as soon as possible. Follow here for updates.
Thank you for your support as we work to address this situation.
— SafeMoon (@safemoon) March 28, 2023
Shortly after the exploit, blockchain security company PeckShield revealed that the bug was introduced during the project’s last contract upgrade, initiated by the official SafeMoon Deployer. The firm suggested that the admin key could have been leaked, hence, the initiation of the upgrade.
Web3 developer DeFi Mark further explained that the attacker took advantage of the public burn function, which allowed users to burn tokens from any address.
The function allowed the attacker to remove SFM, SafeMoon’s native token, from the project’s WBNB liquidity pool, resulting in an artificial spike in the price of SFM.