A slew of critical vulnerabilities has recently been identified by the developers at DeFi security provider HashEx when examining the code of the SafeMoon DeFi project. The identified issues are so severe that users are being warned to stay away from the protocol for fear of losing their funds.
As reported in a press release shared by HashEx with Bitcoinist, the vulnerabilities were detected in SafeMoon – a BEP-20 smart contract based DeFi protocol that charges up to 5% in commissions per on-chain transfer for later redistribution among $SAFEMOON token holders. The $SAFEMOON token itself has grown in price by more than 15,000% since launch, surpassing the $6 billion market cap with DEX-swaps liquidity currently standing higher than $200,000,000.
Despite the stellar figures, HashEx has identified that the issues placing the funds of over two million investors in jeopardy include 12 vulnerabilities, of which two are considered to be critical, and three are deemed to be extremely high risk.
The identified vulnerabilities allow any perpetrator to set commissions for $SAFEMOON tokens as high as 100%, conduct malignant rug-pulling practices, exclude token holders from commission distributions, temporarily block token transfer, or render smart contracts permanently inoperable. Moreover, at least four of the vulnerabilities can be launched in combination, thus multiplying the inflicted damage in favor of the malevolent actors.
The communication HashEx has had with the SafeMoon development team has made it clear that the latter are aware of the vulnerabilities, but cannot update these issues “with a deployed contract without a hardfork”.
“Functions like excludeFromReward and the same for excludeFromFee are used for exchange hot wallets so that users are not unfairly penalized for participating with CEXs. Addressing these other issues, such as ownership renounce being able to be taken back by the contract deployer, we are never going to renounce and have made our stance on that clear in the past. Internally we have policies and procedures around how the contract operates to alleviate risk of mishandling values, however you will never see us modify fees or maxTx,” was the statement received from SafeMoon CTO Thomas Smith on the findings reported by HashEx.
Vulnerabilities, such as rug-pulling, would allow for liquidity to be “pulled” from SafeMoon’s pools, as its externally owned smart contract account is controlled by a real person, and can be compromised by hackers. Such an attack could lead to an instant loss of over 15% of all SafeMoon liquidity, amounting to over $20 million. In addition, a function call with temporary ownership renounce can be applied even if the developer transfers the ownership to a token burning address
The blacklisting of rewards that would allow for exclusion of certain wallets from rewards distribution is just as worrying, as it can be used to distribute as much as 30% of the balance in favor of wallets that can be included in the list at the attacker’s will. Even more worrying is the possibility of 100% token transfers tax-free, which would mean that instead of transferring the tokens to the receiver, the whole sum would end up in a common reward pool.
The combination of such critical vulnerabilities in SafeMoon is a sobering reminder of the risks that DeFi projects still bear on the market. Messari recently reported that a total of $285 million has been stolen as a result of DeFi hacks over the past two years. A recent example is the case of the DeFi100 decentralized finance protocol that is being reported to have turned out to be a scam that ended with the theft of $32 million in user funds. Whether SafeMoon is on the same slippery path is a question that only the project’s developers or time will answer.