Cyber-thieves have stolen $8.9m from cryptocurrency firm SafeMoon after exploiting a recently introduced vulnerability affecting the firm’s liquidity pool.
Liquidity pools are large sums of cryptocurrency locked in a smart contract that provide liquidity to decentralized finance (DeFi) exchanges.
However, the SFM:BNB pool run by SafeMoon was compromised on March 28, according to the firm’s CEO, John Karony.
Read more on cryptocurrency heists: Attackers Steal $618m From Crypto Firm.
“In the hours since, our team has met with key advisors to agree a plan that protects token holders and the community. We have located the suspected exploit, patched the vulnerability, and are engaging a chain forensics consultant to determine the precise nature and extent of the exploit,” Karony explained.
“Users should be assured that their tokens remain safe. Because we have flexibility in our tech, we have faith that we will be able to bring this matter to resolution.”
Karony claimed that the firm’s exchange is not impacted, nor are other pools run by the firm or its SafeMoon Wallet.
A recently introduced update appears to have been the cause of the bug that was exploited in this attack.
“The attacker took advantage of the public burn() function, this function let any user burn tokens from any other address. The attacker used this function to remove SFM tokens from the SFM:BNB liquidity pool, artificially raising the price of SFM,” explained Dappd CEO, “DeFiMark,” on Twitter.
“The attacker was then able to sell SFM into this LP at a grossly overpriced rate within the same transaction, wiping out the remaining WBNB in the liquidity pool.”
Interestingly, the actor claiming responsibility for the attack now appears to be saying that they carried it out in error and want to return the funds. However, this could simply be a delaying tactic while they launder the stolen crypto.