Critical $20M SafeMoon vulnerability? Project devs say no cause for alarm

Published at: May 25, 2021

Popular TikTok viral “meme coin” SafeMoon could be vulnerable to malicious exploits by hackers on account of purported security vulnerabilities in its smart contract code.

According to a smart contract audit by blockchain security firm HashEx, SafeMoon currently has 12 of such vulnerabilities with five being classified as ranging between being of a “critical” and “high-severity” nature.

As part of its findings, the HashEx audit alleges that SafeMoon is vulnerable to a “Temporary ownership renounce” attack and a subsequent rug pull to the tune of $20 million. According to HashEx, the SafeMoon contract owner is an externally owned account, or EOA, that controls a significant proportion of the coin’s liquidity.

In the event of the EOA being compromised either by internal or external rogue actors, an attacker can drain the liquidity pool. Indeed, the HashEx team alleges that a hacker can temporarily override any attempts by the SafeMoon devs to send the tokens to the burn address.

However, the SafeMoon team has countered HashEx’s findings, telling Cointelegraph that contract ownership is securely held. One SafeMoon developer said that the team was aware of the issue has policies in place to ensure that the owner wallet is never connected to any third-party decentralized applications.

Apart from the potential for a $20 million rug pull, HashEx also identified a few reportedly problematic contract set functions that can allow an attacker to exclude certain users from receiving rewards or distribute rewards to a specific wallet.

Under normal conditions, each SafeMoon token sale attracts a 10% fee with half of that sum distributed as rewards for existing holders. However, HashEx alleges that an attacker can set contract functions like fees, and maximum transaction amounts to any value and siphon 100% commissions from each sale.

In effect, during a possible attack, a hacker can steal proceeds from each token sale and redirect same to specified wallets. Indeed, with all of these alleged vulnerabilities in mind, the blockchain security firm says an attacker can synergize these purported loopholes to launch an elaborate chain attack.

Responding to the HashEx audit, Thomas Smith, chief technology officer at SafeMoon said that the team was aware of the issues having already been intimated by its smart contract auditor Certik.

According to Smith, a hard fork will be required to solve many of the concerns raised by HashEx. Echoing the sentiments shared by the previously quoted SafeMoon dev, Smith stated:

“Addressing these other issues, such as ownership renounce being able to be taken back by the contract deployer, we are never going to renounce and have made our stance on that clear in the past. Internally we have policies and procedures around how the contract operates to alleviate risk of mishandling values, however, you will never see us modify fees or maxTx.”

SafeMoon is currently about 69% down from its April all-time high. Indeed, back in April, Cointelegraph reported that market commentators believed the parabolic price rally of the Binance Smart Chain-based project was unsustainable.

BSC-based projects have increasingly become victims of hacks and exploits as decentralized finance protocols sought to make a home on the Binance chain after sustained periods of high transaction cost on the Ethereum network.

As previously reported by Cointelegraph, BSC DeFi protocol PancakeBunny recently tanked 96% following a $200 million flash loan attack. In April, Uranium Finance — another BSC-native protocol — suffered a $50 million malicious exploit.

Tags
Related Posts
How will regulatory troubles and mandatory KYC impact Binance Coin (BNB) price?
Binance Coin (BNB) rallied 30% in two weeks, but the fourth-largest cryptocurrency by market capitalization seems to be struggling to break the $450 resistance. Coincidently, this is the same top from June 3, which was followed by a 48% correction down to $225. Given the similarity of the situation when compared with previous instances, investors have reasons to doubt the recent performance, especially as Solana (SOL), a competing smart contract platform, reached an all-time high on Aug. 18. The move was partially attributed to a recent $70-million crowdfund to support Solana's decentralized exchange (DEX), Mango Markets, and the launch of …
Markets / Aug. 22, 2021
Boost for smart contracts as oracle system goes live on Binance Smart Chain
An oracle system has launched on Binance Smart Chain — enabling developers to create DApps and decentralized autonomous organizations that are fueled by real-world data. Bridge Oracle, which first made its debut on Tron, says the expansion of its easy-to-use infrastructure is a significant milestone. Now, a diverse range of data sources can be integrated into smart contracts — boosting their utility immeasurably. Data can be fetched using HTTP and HTTPS requests, or through the computational knowledge of WolframAlpha. Oracles can be used to generate random numbers, and this infrastructure also paves the way for enterprises to integrate blockchain technology …
Technology / May 6, 2021
Synthetix Reverses Oracle Error-Caused Misplaced sETH in Exchange for a Bug Bounty
Following a recent oracle issue, asset issuance platform Synthetix will reverse the misplaced 37 million synthetic ether (sETH) in exchange for a bug bounty, Synthetix founder Kain Warwick stated on June 25. According to the statement, Synthetix has now resumed trading and transfers after the platform yesterday suffered an oracle error that led to several trades with profits of 1000x, resulting in more than $1 billion in profits in under an hour. Warwick, who is also CEO of Australia-based payment operator blueshyft, has described the details of the accident, noting that the error, which led one of APIs on the …
Ethereum / June 25, 2019
Multichain recovers $2.6M stolen funds, to reimburse losses on condition
After a month-long fight against an ongoing exploit, cross-chain router protocol Multichain announced the recovery of nearly 50% of the total stolen funds, worth nearly $2.6 million of cryptocurrencies. The team has also released a compensation plan to reimburse the users’ losses. On Jan. 10, blockchain security expert Dedaub alerted Multichain about two vulnerabilities in its liquidity pool and router contracts — affecting eight cryptocurrencies including wrapped ETH (WETH), wrapped BNB (WBNB), Polygon (MATIC) and Avalanche (AVAX). 1/3 We recently identified the "phantom functions" code pattern, which would have led to likely the largest crypto hack ever. Your code may …
Blockchain / Feb. 19, 2022
Altcoin Roundup: 3 portfolio trackers NFT and DeFi investors can use to stay organized
The cryptocurrency ecosystem has seen a tremendous amount of growth over the past couple of years, as the introduction of decentralized finance (DeFi) and the popularity of nonfungible tokens (NFT) have led to an explosion of projects on more than a dozen blockchain networks. The rapidly growing ecosystem means investors have to keep track of multiple wallet addresses, making portfolio trackers a popular option for traders needing to manage a diverse multichain portfolio. Here are three portfolio-tracking decentralized applications, or DApps, crypto traders can use to help monitor their investments. Zapper Zapper supports the basic management of cryptocurrencies held on …
Nft / Feb. 25, 2022