Full Report
SafeMoon is a blockchain company that trades on the BNB chain. They are trying to put crytocurrency into the future, such as a debit card and some other products. SafeMoon was just hacked for 8.9M dollars. The contract has a burn function, which is used for removing tokens from the total supply in circulation. Since the cost is commonly associated with the total supply of tokens, being able to make or destroy tokens at will has effects in other places. In this case, the attacker used this to remove the SFM (SafeMoon) tokens from the Safemoon-WBNB Liquidity Pool to raise the price of SFM. They then sold SFM into the LP at a very overpriced rate to steal money. What's interesting about this bug, it that the security issue was deployed only hours before being exploited. It is super crazy how this code was published without being audited first. Public burns are bad. Being able to burn arbitrary tokens from users accounts is a massive access control issue. Somebody plugged this into ChatGPT, which even found the bug!
Analysis Summary
# Incident Report: SafeMoon Liquidity Pool Manipulation
## Executive Summary
SafeMoon, a blockchain entity on the BNB Chain, suffered a smart contract exploitation totaling approximately $8.9 million. The attacker leveraged a newly deployed, unaudited "burn" function to manipulate the price of SFM tokens within a liquidity pool, subsequently draining funds. The incident highlights the critical risks of deploying administrative functions with insufficient access controls and lack of rigorous security auditing.
## Incident Details
- **Discovery Date:** March 28, 2023
- **Incident Date:** March 28, 2023
- **Affected Organization:** SafeMoon
- **Sector:** Decentralized Finance (DeFi) / Cryptocurrency
- **Geography:** Global / Distributed (BNB Chain)
## Timeline of Events
### Initial Access
- **Date/Time:** March 28, 2023 (Hours after new code deployment)
- **Vector:** Smart Contract Vulnerability (Publicly accessible administrative function)
- **Details:** The attacker identified a vulnerable `burn` function in the newly upgraded SafeMoon smart contract that allowed any user to trigger the burning of tokens from any address.
### Lateral Movement
- **Mechanism:** Economic Manipulation. The attacker did not move through a traditional network but utilized the public `burn` function to target the SafeMoon-WBNB Liquidity Pool (LP) address.
### Data Exfiltration/Impact
- **Details:** By burning a massive quantity of SFM tokens held within the Liquidity Pool, the attacker artificially inflated the price of the remaining tokens. The attacker then swapped a small amount of SFM for a disproportionately large amount of WBNB, draining the pool's value.
### Detection & Response
- **Discovery:** Blockchain monitoring tools and community members identified the massive price slippage and irregular contract calls.
- **Response Actions:** The vulnerability was identified as stemming from a code update deployed only hours prior to the exploit.
## Attack Methodology
- **Initial Access:** Exploitation of an insecurely implemented `burn` function in the smart contract.
- **Persistence:** Not applicable; the attack was an atomic transaction execution.
- **Privilege Escalation:** Exploiting a Broken Access Control (BAC) flaw where a function intended for administrators was left public.
- **Defense Evasion:** None; the transaction was transparent on the public ledger.
- **Impact:** Liquidity Pool draining via price manipulation (Pump-and-Dump mechanics via code).
## Impact Assessment
- **Financial:** Estimated loss of $8.9 million USD.
- **Data Breach:** None (Standard blockchain transparency; no PII involved).
- **Operational:** Significant disruption to the SafeMoon ecosystem and token liquidity.
- **Reputational:** High; criticism centered on the deployment of unaudited code and the bypass of security best practices.
## Indicators of Compromise
- **Behavioral indicators:** Unusual calls to the `burn` function targeting the LP address; massive slippage in SFM/WBNB trading pairs.
- **Contract Interaction:** Transactions interacting with the SFM contract's new burn mechanism.
## Response Actions
- **Containment:** Community and developers identified the flaw in the logic of the recently deployed smart contract.
- **Eradication:** Identification of the specific commit/deployment that introduced the public burn capability.
- **Recovery:** Efforts to communicate with the attacker for the return of funds (often characteristic of DeFi "whitehat" negotiations).
## Lessons Learned
- **Audit Deficit:** Deploying smart contract code to a production environment managing millions in assets without a third-party audit is high-risk.
- **Access Control:** Critical functions like `burn` or `mint` must be protected by strict modifiers (e.g., `onlyOwner`) and should never allow the destruction of tokens from arbitrary third-party addresses.
- **AI in Security:** The incident proved that modern AI tools (like ChatGPT) are capable of identifying logic flaws in code that human developers may overlook during rapid deployment.
## Recommendations
- **Rigorous Governance:** Implement a mandatory waiting period and multi-signature requirement for all contract upgrades.
- **Automated Security Scanning:** Integrate static and dynamic analysis tools into the CI/CD pipeline to catch "low-hanging fruit" vulnerabilities like public administrative functions.
- **Audit Compliance:** Ensure all contract modifications undergo a formal security audit by a reputable firm before deployment.