Vulnerabilities Identified on DeFi Project Safemoon by HashEx

Blockchain audit and consulting firm HashEx issued a report claiming that it had been able to detect a total of twelve vulnerabilities — representing varying degrees of severity — in SafeMoon’s (SAFEMOON) smart contract architecture. As a result, the firm claims that the digital asset holdings of nearly two million investors may be at risk.

Furthermore, it bears mentioning that at least two were found to be critical of all the detected problems while another three posed a “high risk” threat to the system. And if that wasn’t enough, HashEX’s audit team pointed out that SafeMoon’s digital framework contains an intrinsic flaw that can enable miscreants to alter commission transfer settings fairly easily. 

The above-stated loophole potentially opens up channels for potential rug pulls as well as affording hackers. The ability to exclude holders from receiving their commissions, prevent internal token swaps from taking place, temporarily block token transfers, and in some cases, even manipulate the coding of the platform’s native smart contract.

A Closer Look at the Matter

From a technical standpoint, as things stand, SafeMoon’s smart contract charges a flat 5% fee on any transfer taking place within the ecosystem. These tokens are doled out to owners of the currency as incentives, giving them even more reason to HODL SAFEMOON. 

That said, HashEx’s team claims that owing to the fact an external account holder owns the platform’s smart contract, there is enough reason to warrant a certain degree of caution when dealing with SafeMoon, adding:

In case the ‘owner address’ is compromised, a rug pull of over $20,000,000 can happen at any moment. Because it’s about 15% of all liquidity that is being held in liquidity pools, the SAFEMOON exchange rate can go down rapidly.

Therefore, in the unfortunate event of SafeMoon’s external account ever being compromised, there is a possibility that a third-party agent can potentially wipe out the platform’s internal liquidity pool as well as prevent SafeMoon developers from sending tokens to a burn address. And while SafeMoon Chief Technology Officer (CTO) Thomas Smith claims that he was aware of the issues beforehand, he concedes that the best way to resolve the issues mentioned above was via a hard fork. 

In that sense, it is worth noting that there are many other platforms, such as PERA, even as we speak. They utilize a wide array of features akin to those of SafeMoon’s — but have been able to mitigate the above stated problems entirely, primarily by employing different smart contract coding structures. 

For example, PERA uses a feature referred to as ‘frictionless yield’ in its smart contract code, thus adding the ‘balance update’ module, which seems to be missing in SafeMoon and other similar projects. PERA also employs the optimal implementation of the ‘includeInReward’ function, which has been wrongly employed within the native SafeMoon smart contract.

Lastly, it should be mentioned that the PERA token smart contract has been audited and cleared by leading cybersecurity/blockchain analytics firm Holborn. According to its report, the company could not detect any major security flaws with the platform’s digital infrastructure, particularly those that were found to have compromised SafeMoon.

What Lies Ahead?

As per several reports, in recent months, the Binane Smart Chain (BSC) has been faced with multiple hack attempts, so much so that three of the most prominent DeFi attacks in recent memory have all been on platforms built atop BSC. For example, just last month, it came to light that the Spartan Protocol had been compromised to a tune of more than $30 million.

Similarly, Pancake Bunny has also been a victim of a massive $200 million flash loan attack recently. Since the debacle, the price of the project’s associated token — ala BUNNY — has been on a continued downward slide and has lost more than 90% of its value. The exact same scenario was also witnessed concerning a platform called Uranium Finance, where third-party miscreants could steal a staggering $50 million after learning about a malicious exploit in the project’s framework.

As is clear for everyone to see, these hack-related problems have increased quite a bit since the start of 2021. Because, a large number of DeFi projects have continued to migrate to blockchain networks other than Ether, especially after its native gas fee rates scaled up to an insane $40 and $75 (per transaction) during February and April, respectively.

Trevor Holman

Trevor Holman follows crypto industry since 2011. He joined CryptoNewsZ as a news writer and he provides technical analysis pieces and current market data. He is also an avid trader. In his free time, he loves to explore unexplored places.

Related Articles

Back to top button