Meme Coin Project SafeMoon Rekt for $9M Due to Public Mint Bug

A recent upgrade to meme coin SafeMoon’s smart contract saw the project robbed of $8.9 million—and then stolen again.

What happens when a hacker gets front run?

Just three hours after SafeMoon upgraded its smart contracts, an exploiter identified and leveraged a bug in the code that led to the loss of roughly $8.9 million from the memecoin’s liquidity pool.

In a unique turn of events, however, the exploiter that initially leveraged the vulnerability was then quickly front run by another address.

The front runner then sent a message to SafeMoon’s deployer contract to open negotiations: “Hey relax, we are accidentally front run an attack against you, we would like to return the fund, setup secure communication channel, let’s talk.”

What Is SafeMoon and Why Are So Many People Talking About Its New Wallet?

If you’ve scrolled past the #SAFEMOONWALLET hashtag blaring on Twitter today, you may not have realized the token with a $2.5 billion market cap—sometimes derided as a Ponzi—has some actual product news. Cryptocurrency project SafeMoon today opened sign-ups for a closed beta version of its wallet. It’s welcoming 500 users to test the product, which will purportedly hold the SafeMoon token. Since the advent of cryptocurrency, dozens of Bitcoin forks, Ethereum wannabes, and even Dogecoin knockoffs…

Front running is when a crypto address identifies a pending lucrative trade or transaction on the blockchain, such as this exploit, and then pays a very high gas fee to get the same trade or transaction executed before the original.

The front runner later wrote in a transaction to SafeMoon, “Let’s discuss the detail, please send a message from same address containing your email address, and contact us by email: [REDACTED].”

SafeMoon did not immediately respond to Decrypt’s request for comment.

Unpacking the SafeMoon bug

Though it would appear the front runner wants to return the funds to the SafeMoon team, the real concern is how the exploit managed to find its way into the smart contract.

“A public mint bug means the hacker can call the function to burn the liquidity in the pool and then swap for the remaining WBNB,” a spokesperson from PeckShield told Decrypt via Telegram. WBNB is a wrapped version of Binance’s native exchange token BNB, which makes it easier to interact with native BNB Chain applications.

“The hacker basically buys SFM [SafeMoon] at the beginning, next exploits the public mint bug to increase the SFM price, and then sells SFM with the profit >$8.9m,” the spokesperson said.

“It is a trivial bug, really nothing fancy. […] And it should not be present in the upgrade at all.” the PeckShield spokesperson said, “[it is] likely this upgrade is not audited.”

One Twitter user claimed they were able to identify the exploit after two minutes of reviewing SafeMoon’s smart contract.

“The specific bug’s root cause was the lack of proper access control to a function which should be for privileged usage only.” Gonçalo Magalhães, smart contract engineer at Immunefi told Decrypt. “This is a common security vulnerability which is usually caught at the auditing phase of a smart contract.”

This means that people who had their tokens in a liquidity pool (WBNB-SFM) were at risk of losing their tokens. One Twitter user claims they lost 4 million SFM, or roughly $800 at press time.

As for the SafeMoon team, its CEO John Karony said that they hired a chain forensics consultant who located the issue and has reportedly resolved it.

“Users should be assured that their tokens remain safe. Because we have flexibility in our tech, we have faith that we will be able to bring this matter to resolution,” he said.