Safemoon hack analysis — Improper Access control
Safemoon hack analysis — Improper Access control
Overview
On March 28, 2023, an incident happened on the Safemoon token pair, allowing an attacker to burn the majority of tokens due to an improper access control vulnerability and gain $8.9 million.
This vulnerability was getting detected in our tool SolidityScan. Signup for a free trial at https://solidityscan.com/signup.
Smart Contract Hack Overview
- Attacker’s address: 0x286e0
- Attackers transaction: 0x48e52
- Attacker’s contract: 0xa1fae6
- Attackers message: 0x7243d
- SafeMoon Deployer: 0x678
- SafeMoon Vulnerable Code: L1737
Decoding the Smart Contract Vulnerability
- The attacker initially purchased around 102 WBNB tokens before exchanging them for their SFM pair counterpart.
- The attacker then burned a huge number of SFM tokens, which inflated the price of SFM tokens in minutes.
- The attacker converted the SFM tokens to their WBNB counterpart and withdrew 8.9 million tokens, resulting in a massive loss for SafeMoon users.
Mitigation and Best Practices
- Access control methods must be properly implemented in the contract functions.
- Make sure only authorized users may use the burn function. One approach is to use OpenZeppelin’s AccessControl contract to provide access control. This may be accomplished by including a need statement at the beginning of the function to ensure that the caller has the required role.
- Use modifiers to prohibit anybody from interacting with such functions, and make sure the function is not callable by anyone except owners.
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord