On account of purported security vulnerabilities in its smart contract code, Popular TikTok viral “meme coin” SafeMoon could be vulnerable to malicious exploits by hackers.
SafeMoon currently has 12 of such vulnerabilities with five being classified as ranging between being of a “critical” and “high-severity” nature, according to a smart contract audit by blockchain security firm HashEx.
SafeMoon is vulnerable to a “Temporary ownership renounce” attack and a subsequent rug pull to the tune of $20 million, as alleged as part of its findings, the HashEx audit. The SafeMoon contract owner is an externally owned account, or EOA, that controls a significant proportion of the coin’s liquidity, according to HashEx. Indeed, the HashEx team alleges that a hacker can temporarily override any attempts by the SafeMoon devs to send the tokens to the burn address.
In the event of the EOA being compromised either by internal or external rogue actors, an attacker can drain the liquidity pool. Indeed, the HashEx team alleges that a hacker can temporarily override any attempts by the SafeMoon devs to send the tokens to the burn address.
However, the SafeMoon team has countered HashEx’s findings, telling Cointelegraph that contract ownership is securely held. One SafeMoon developer said that the team was aware of the issue has policies in place to ensure that the owner wallet is never connected to any third-party decentralized applications.
Apart from the potential for a $20 million rug pull, HashEx also identified a few reportedly problematic contract set functions that can allow an attacker to exclude certain users from receiving rewards or distribute rewards to a specific wallet.
Under normal conditions, each SafeMoon token sale attracts a 10% fee with half of that sum distributed as rewards for existing holders. However, HashEx alleges that an attacker can set contract functions like fees, and maximum transaction amounts to any value and siphon 100% commissions from each sale.
In effect, during a possible attack, a hacker can steal proceeds from each token sale and redirect same to specified wallets. Indeed, with all of these alleged vulnerabilities in mind, the blockchain security firm says an attacker can synergize these purported loopholes to launch an elaborate chain attack.
Responding to the HashEx audit, Thomas Smith, chief technology officer at SafeMoon said that the team was aware of the issues having already been intimated by its smart contract auditor Certik.
According to Smith, a hard fork will be required to solve many of the concerns raised by HashEx. Echoing the sentiments shared by the previously quoted SafeMoon dev, Smith stated:
“Addressing these other issues, such as ownership renounce being able to be taken back by the contract deployer, we are never going to renounce and have made our stance on that clear in the past. Internally we have policies and procedures around how the contract operates to alleviate risk of mishandling values, however, you will never see us modify fees or maxTx.”