defirisk.co
rubric v1.7.0

Safemoon: Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain

Safemoon's self-described "un-ruggable" locked liquidity was drained for $8.9M after a routine upgrade introduced a public burn() function that let anyone destroy LP tokens, manipulate the pool price, and extract BNB.

Occurred 2023-03-28 Loss $9M Status closed

Summary #

Safemoon suffered a Algorithmic Token / AMM Liquidity Pool on 2023-03-28, resulting in a loss of approximately $9M.

What happened #

Safemoon's self-described "un-ruggable" locked liquidity was drained for $8.9M after a routine upgrade introduced a public burn() function that let anyone destroy LP tokens, manipulate the pool price, and extract BNB.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the upgrade was not reviewed]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerability was introduced by the upgrade deployed 6 hours before the attack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerability was introduced by the upgrade deployed 6 hours before the attack] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Safemoon Deployer upgraded the token contract 6 hours before the exploit]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — BEP-20 token with custom transfer mechanics (PancakeSwap liquidity)]
  • RD-F-139 — causal : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerability was introduced by the upgrade deployed 6 hours before the attack]