CoinEX hacked
Safemoon
attack research
Examining the conditions surrounding the attack on the Safemoon smart contract
Disclaimer
This study relies on publicly available information and presents the authors' subjective opinions regarding the incident. It is not intended to accuse any individuals or companies of wrongdoing. Determining the full scope of the circumstances surrounding the incident, especially if there are indications of illegal activity, is the responsibility of the appropriate law enforcement authorities.
So What Happened?
Mar-28-2023 21:17 (UTC) an article was published on Twitter about the compromise of LP Safemoon, which resulted in the theft of more than $8 million worth of cryptocurrency assets by an intruder.
The Match Systems team investigated the incident and figured out:
The hack was due to a vulnerability in Safemoon's contract associated with the "Bridge Burn" feature, enabling anyone to call the "burn" function on SFM tokens at any address. This allowed attackers to transfer other users' tokens back to the developer.
As a result, almost 32 billion SFM tokens were taken from Safemoon's LP address 0x8e0301e3bde2397449fef72703e71284d0d149f1 in Binance Smart Chain (BSC) to Safemoon deployer address 0x678ee23173dce625A90ED651E91CA5138149F590, which led to an instant pump in value of tokens, which the attacker exploited by swapping some of the SFM tokens for BNB’s at an inflated price. As a result, 27380 BNB were transferred to the hacker's address. 0x237d58596f72c752a65658585858989348d0fce622ed.
At the time of writing this article, the assets are still held at the same address.
The Match Systems team investigated the incident and figured out:
The hack was due to a vulnerability in Safemoon's contract associated with the "Bridge Burn" feature, enabling anyone to call the "burn" function on SFM tokens at any address. This allowed attackers to transfer other users' tokens back to the developer.
As a result, almost 32 billion SFM tokens were taken from Safemoon's LP address 0x8e0301e3bde2397449fef72703e71284d0d149f1 in Binance Smart Chain (BSC) to Safemoon deployer address 0x678ee23173dce625A90ED651E91CA5138149F590, which led to an instant pump in value of tokens, which the attacker exploited by swapping some of the SFM tokens for BNB’s at an inflated price. As a result, 27380 BNB were transferred to the hacker's address. 0x237d58596f72c752a65658585858989348d0fce622ed.
At the time of writing this article, the assets are still held at the same address.
Communication with attacker and others
In addition, there was communication with the project developers and the hacker via "additional data" attached to transactions from the following addresses:
0x286e09932b8d096cba3423d12965042736b8f850 - used by hacker to message Safemoon team.
0x286e09932b8d096cba3423d12965042736b8f850 - used by hacker to message Safemoon team.
Hacker:
Safemoon team:
Hacker:
Safemoon team:
Safemoon team:
Safemoon team:
0x60dc5bb048310224b8732d732f4a32d16690e470 - used by unknown Third Party, person who knows the hacker and the Safemoon team, and willing to mediate the incident, sent messages to the hacker
0x70b8172e628992007453aa4fe27048b59957e0ef - used by unknown Third Party to message Safemoon team and the hacker
Key Events Timeline
The chronology of the incident (UTC) as is
Our Zoo
The points of interests, as of above:
0x286e09932b8d096cba3423d12965042736b8f850 – the address of the initial withdrawal of assets from the smart contract. Also used by hacker to message Safemoon project team (we will call it "Red-haired Capybara")
0x237d58596f72c752a6565858589348d0fce622ed – the address where the assets are currently held. (we'll call it "Blue meerkat")
0x60dc5bb048310224b8732d732f4a32d16690e470 – the address from where the message offering the mediator for negotiations was received (let's call it "Yellow Pigeon")
0x70b8172e628992007453aa4fe27048b59957e0ef – the address from which the correspondence with the project team and the hacker was made with suggestions for resolving the incident (we'll call it "Black fox")
0x286e09932b8d096cba3423d12965042736b8f850 – the address of the initial withdrawal of assets from the smart contract. Also used by hacker to message Safemoon project team (we will call it "Red-haired Capybara")
0x237d58596f72c752a6565858589348d0fce622ed – the address where the assets are currently held. (we'll call it "Blue meerkat")
0x60dc5bb048310224b8732d732f4a32d16690e470 – the address from where the message offering the mediator for negotiations was received (let's call it "Yellow Pigeon")
0x70b8172e628992007453aa4fe27048b59957e0ef – the address from which the correspondence with the project team and the hacker was made with suggestions for resolving the incident (we'll call it "Black fox")
De-anonymization of the beasts
- De-anonymization of the Red-haired Capybara can be done by obtaining information from the Binance about the owners of deposit addresses:
and the transaction initiators who supplied with “gas”
0x34927071e8c58c99db192b88f58a3ef2b1b6cf998f21dc1a08be270e519ec57e
0xb730a8be2a0a2ec13aba48fcc33dae8a1d5e31383df270fee16d48b681e1c861
0x40e2969e2c88c642a332acaca8c706d3c415d8a253d45d36ca77c6b6a790d54f
0x1ee79a12b795d3554e98c4c84c482f2e2f3b6eb87e80649dfccee20f8e818382
0x24da81ed18e1d129dffdbb9ffa0c8c37edfd22b012f52d89030a45169f47a17e
- De-anonymization of the Blue Meerkat through the Red-haired Capybara
- Yellow Pigeon's de-anonymization can be done by getting information from Binance regarding the owner of the deposit address: TLaUFJmCwU3GazcmHKVkvNKE4EgU9qmvYH
and the transaction initiator who supplied with “gas”
2b081cd589254db6ed7eaf5128d2a3c762ac66bea183d4ce2a65941279984fa8
Also from Paxful about other initiatiors:
656995b7d2af3941f916db96cbd1d903717ca869b877b37042bef7e2503cc4c5
036ca0e667922e741d3813666bc04bb76f8b34f3c875d72ca5f8f82ba91b9c45
b6e2ff66ee8e6f28476a6d02a5cb9c439546fee306f4ee589e1ea30ba43cc1b9
3fc3ab6748937ddd9d791c036673b7cf90f55b71cb64bddebe76b0d5b4edda0c
- As of “Black fox” address 0x70b8172e628992007453aa4fe27048b59957e0ef it is not possible to establish any additional data at the moment.
Some Hack technical details and the community response
Among other things, the user of “https://dune.com/” with nickname “@factsudeny” published the addresses which, in his opinion, were related to Safemoon and provided analysis for those addresses. Cross-chain analytics shows that these addresses have matches in various 0x blockchains, but until it’s confirmed they belong to Safemoon and the need to study them at all is established, further research is out of interest.
In lieu of a conclusion
The study found close ties between attackers and centralized cryptocurrency exchanges, which, in turn, will allow law enforcement agencies to request relevant data and identify the individuals involved, if there is an unbiased reason to do so
The fact that the developers made changes to the smart contract that allow such manipulations deserves additional attention. Considering that the previous version of the smart contract did not have such vulnerabilities, and after the update, a hack occurred in a relatively short period - it seems reasonable to conduct an additional internal audit regarding the individuals involved in making these changes.
The fact that the developers made changes to the smart contract that allow such manipulations deserves additional attention. Considering that the previous version of the smart contract did not have such vulnerabilities, and after the update, a hack occurred in a relatively short period - it seems reasonable to conduct an additional internal audit regarding the individuals involved in making these changes.
Postscriptum
This research may be incomplete and some information may be missing because it was done by our team own time for practice purposes. At the time of writing, we do not have any contract or NDA restricting us to collect, analyse or spread the information, as well as in depth research of the incident, if necessary.
