This week, another case of poor change management resulted in the Safemoon token having its liquidity pool (LP) liquidated. For those who don’t know what that means, someone made off with about $9 million. This is an evolving story; I’ll have updates at the bottom as information is released.
Some history…. the Safemoon cryptocurrency is a decentralized token built on the Ethereum blockchain. It was created to provide holders with incentives through deflationary mechanics and a “moon” feature that rewards “HODLers” (that’s not a typo, it means (Hold On for Dear Life) for holding the token over a certain period of time. The project has seen explosive growth since its launch in late 2020 with tens and hundreds of thousands in the Safemoon community.
Safemoon cryptocurrency rewards its holders by burning tokens. Whenever a transaction is made, 10% of the transaction fee is burned and destroyed forever. This process gradually reduces supply while increasing demand, driving up the token’s price and incentivizing holders to hold on to their tokens for as long as possible.
A crypto currency’s Liquidity Pool (LP) is a set of tokens that have been deposited by traders into an exchange and allow traders to buy and sell tokens without needing to wait for counterparts. This pooling of liquidity helps to ensure that the market remains liquid and allows for faster trades, as users can execute orders quickly.
Transactions are part of smart contracts, a type of digital contract that makes use of blockchain technology to facilitate the execution of agreements between two or more parties. Smart contracts can be programmed to carry out specific functions, such as transferring funds, burning tokens and other blockchain transactions.
The LP ensures holders that their holdings will remain in circulation and not get dumped onto the market, flooding it with sell orders and driving down the value of their assets. By having a large and deep LP, traders can take advantage of price movements quickly and efficiently, which is especially beneficial when trying to capitalize on short-term opportunities.
Furthermore, the LP protects against malicious actors who could manipulate prices or cause flash crashes. By having a broad base of liquidity providers, it is harder for one actor or group to control or manipulate the markets.
If this sounds helpful for all stakeholders, it is. When notorious bank robber Willy Sutton was asked why he robbed banks, his response was “That’s where the money is.” This same logic applies to the LP and crypto bad actors, who are trying to rob the crypto LP bank.
One way to combat these bad actors is the use of two distinct types of programming functions. Smart contracts have two self-explanatory categories: public and private functions. Private functions often contain sensitive information such as user credentials, private keys, and other confidential functions.
If private functions somehow become public, malicious actors could gain access to this information and use it for criminal activities. Worse, code errors that are normally hidden within the private functions can be exposed when they become public, leading to unexpected actions that have a negative impact on the system’s overall performance and stability.
Even worse, anyone with access to the code may be able to modify the contracts in ways that were not intended by its developers — potentially leading to disastrous consequences if not addressed quickly. This is what appears to have happened with Safemoon.
It’s been reported that the exploit was commonly known issue, that somehow managed to avoid detection during the change management process.
Crypto smart contract auditors look for several key indicators when assessing the security of a particular blockchain-based contract. These include ensuring that the code is bug-free and does not contain any coding vulnerabilities, verifying that all private functions are kept secure and inaccessible to external users, testing for potential attack vectors, and checking for software issues such as memory leaks.
Additionally, they often employ specialized tools to detect any malicious activities within smart contracts, such as unauthorized access or fraud. The problem in this case is that the audit was conducted prior to at least two changes being released into production.
Update: it’s been reported that the hacker drained the pool and is now looking for a bug bounty for finding the exploit in return for returning the stolen funds. Since all the wallet addresses are known, in theory, they can be locked down so the funds can’t be transferred. We’ll keep you posted.