SafeMoon was exploited in March after a smart contract update led to a burn call vulnerability allowing hackers to transfer funds.
The decentralized finance project SafeMoon, which was exploited in March, resulting in a net loss of $8.9 million in BNB (BNB), has been charged by the United States Securities and Exchange Commission (SEC) for security rules violations and fraud.
The funds associated with the exploit have been on the move via centralized exchanges (CEXs), with blockchain analytic firm Match Systems believing the transfers could become critical for law enforcement agencies.
Sean Thornton from Match Systems told Cointelegraph that it suspects CEXs were used as an intermediate link in the money laundering chain:
“On CEXs, funds could be exchanged for other tokens and withdrawn further, and accounts on a CEX could be registered for drops (dummy persons). Taking into account the fact that it is almost impossible to trace the movement of funds through a CEX without a request from law enforcement agencies, a CEX is a more preferable option than a DEX [decentralized exchange] for a hacker to gain time and confuse paths.”
Match Systems carried out a post-mortem of the SafeMoon smart contract and the subsequent movement of funds to analyze the behavior of the exploiters. The analysis revealed that the hacker exploited a vulnerability in SafeMoon’s contract associated with the “Bridge Burn” feature, allowing anyone to call the “burn” function on SafeMoon (SFM) tokens at any address. These attackers used the vulnerability to transfer other users’ tokens to the developer’s address.
The transfer made by exploiters resulted in 32 billion SFM tokens being sent from SafeMoon’s liquidity pool address to SafeMoon’s deployer address. This led to an instant pump in the value of tokens. The exploiter used the price pump to swap some of the SFM tokens for BNB at an inflated price. As a result, 27,380 BNB were transferred to the hacker’s address.
Match System found that the smart contract vulnerability was not present in the previous version and only came in with the new update on March 28, the day of the exploit, leading many to believe an insider was involved. These speculations gained more fuel by Nov. 1 as the SEC filed charges against the SafeMoon project and three of its executives, accusing them of committing fraud and violating securities laws.
Thornton told Cointelegraph that the SEC accusations are not unfounded, and they also found evidence that may indicate the involvement of SafeMoon management in the hacking that occurred. He added that whether this was done intentionally or as a result of employee negligence will be determined by law enforcement.
The SEC alleges that the CEO of SafeMoon, John Karony, and the chief technical officer, Thomas Smith, embezzled investor cash and withdrew $200 million in assets from the enterprise. The SafeMoon executives are also facing charges from the U.S. Justice Department for conspiring to commit wire fraud, money laundering and securities fraud.
The hacker behind the attack initially claimed they had mistakingly exploited the protocol and wanted to set up a communication channel to return 80% of the funds. Since then, the funds linked to the exploits have moved many times via CEXs like Binance, which the analytic firm believes will be critical for law enforcement agencies to track down the perpetrators of the exploit.