Critical $20M SafeMoon vulnerability? Project devs say no cause for alarm
Popular TikTok viral “meme coin” SafeMoon could be vulnerable to malicious exploits by hackers on account of purported security vulnerabilities in its smart contract code.
According to a smart contract audit by blockchain security firm HashEx, SafeMoon currently has 12 of such vulnerabilities with five being classified as ranging between being of a “critical” and “high-severity” nature.
As part of its findings, the HashEx audit alleges that SafeMoon is vulnerable to a “Temporary ownership renounce” attack and a subsequent rug pull to the tune of $20 million. According to HashEx, the SafeMoon contract owner is an externally owned account, or EOA, that controls a significant proportion of the coin’s liquidity.
In the event of the EOA being compromised either by internal or external rogue actors, an attacker can drain the liquidity pool. Indeed, the HashEx team alleges that a hacker can temporarily override any attempts by the SafeMoon devs to send the tokens to the burn address.
However, the SafeMoon team has countered HashEx’s findings, telling Cointelegraph that contract ownership is securely held. One SafeMoon developer said that the team was aware of the issue has policies in place to ensure that the owner wallet is never connected to any third-party decentralized applications.
Apart from the potential for a $20 million rug pull, HashEx also identified a few reportedly problematic contract set functions that can allow an attacker to exclude certain users from receiving rewards or distribute rewards to a specific wallet.
Under normal conditions, each SafeMoon token sale attracts a 10% fee with half of that sum distributed as rewards for existing holders. However, HashEx alleges that an attacker can set contract functions like fees, and maximum transaction amounts to any value and siphon 100% commissions from each sale.
In effect, during a possible attack, a hacker can steal proceeds from each token sale and redirect same to specified wallets. Indeed, with all of these alleged vulnerabilities in mind, the blockchain security firm says an attacker can synergize these purported loopholes to launch an elaborate chain attack.
Responding to the HashEx audit, Thomas Smith, chief technology officer at SafeMoon said that the team was aware of the issues having already been intimated by its smart contract auditor Certik.
According to Smith, a hard fork will be required to solve many of the concerns raised by HashEx. Echoing the sentiments shared by the previously quoted SafeMoon dev, Smith stated:
“Addressing these other issues, such as ownership renounce being able to be taken back by the contract deployer, we are never going to renounce and have made our stance on that clear in the past. Internally we have policies and procedures around how the contract operates to alleviate risk of mishandling values, however, you will never see us modify fees or maxTx.”SafeMoon is currently about 69% down from its April all-time high. Indeed, back in April, Cointelegraph reported that market commentators believed the parabolic price rally of the Binance Smart Chain-based project was unsustainable.
BSC-based projects have increasingly become victims of hacks and exploits as decentralized finance protocols sought to make a home on the Binance chain after sustained periods of high transaction cost on the Ethereum network.
As previously reported by Cointelegraph, BSC DeFi protocol PancakeBunny recently tanked 96% following a $200 million flash loan attack. In April, Uranium Finance — another BSC-native protocol — suffered a $50 million malicious exploit.