Posted 9 months ago | by Catoshi Nakamoto
Memecoin holders BEWARE. There is a nasty exploit draining all of your favorite meme coins and the reflection coins which reward you for holding them. This exploit traces back to Safemoon’s contract and today we are going to tell you why Safemoon is anything but safe. In fact, Safemoon’s exploitable contract being forked by over hundreds, or thousands of projects may be the downfall of the memecoin market. A memecoin apocalypse? Pardon me for busting a move in celebration.Read More
Let’s get it!
Welcome to BitBoy Crypto. Home of the Bitsquad, the largest crypto community in all the interwebs. My name is Ben. Every day I show YOU how to MAKE MONEY in Crypto. If you like money and crypto then make sure to hit that subscribe button. Today, we are going to discuss a cripple bug in the biggest memecoins and how you can avoid getting rekt.
Before we get into it make sure to enter the 5ETH to 5 Million giveaway. We are growing the Bitsquad to 5 million across the interwebs and you can get in on the action. We are giving away 5 Ethereum, $1000 in Cardano, XRP, VEchain and Matic. Click the gleam.io link in the description to enter for your chance to win.
Look folks. I don’t like memecoins. That’s pretty obvious. In fact you can watch this video here for a breakdown on the worst of them. But I’m not alone. A lot of crypto OGs aren’t fans either. In fact, even the Russ Hanneman of crypto himself, Richard Heart preached about Safemoon and that it is a fork of an old ponzi project known as Proof Of Weak Hands or REFLECTION TOKENS. It’s the same basic concept buyers get taxed and sellers get taxed, those that hold get rewarded based off how much of the supply they actually hold. So if you got in super early you will get rewarded more than if you just got in now. Again, Safemoon is literally the definition of a ponzi scheme. New buyers pay those already involved with a percentage of transaction fees and old users sell out. But if the buying stops then you are not only left holding your current bag but you will no longer receive rewards. Like the stock market.
However, this isn’t about Safemoon being potentially one of the worlds biggest Ponzis since Plus Token. This is about a massive exploit to steal funds from its contract and from any reflection/redistribution token’s contract.
With that out of the way, what if I told you, that along with Crypto Security team CEEZEE Safu and Satoshi Street Bets, Bitboy Crypto has uncovered an exploit in Safemoon’s contract. This exploit allows you to capture liquidity pool rewards and sell them, all without ever owning the token. This in turn allows an exploiter to drain not only Safemoon but every forked iteration of it. We will get to that list in a bit…But first… allow me to explain this a little more thoroughly. This exploit allows the siphoning of tokens from holder without their knowledge. CEEZEE recently wrote on Medium:
“During our investigation we identified a series of unexplainable micro-sells that are either unnoticed or written off as bots manipulating buys/sells (e.g., front-running). Going down this rabbit hole is tricky as you will stand in confusion with how there had been a sell when the person never held the token.”
While that sounds crazy, it’s actually possible to create a bot that can catch the auto-reflection to the liquidity pair, sell it against the BNB pair, and ultimately steal that BNB. All without ever owning the token being attacked.That’s the equivalent to going in the bank, robbing it, then turning around and selling that worthless fiat back to the bank in exchange for gold. It’s a pretty nuanced exploit.
Here are some of the suspicious micro-transactions in question on Dextools.
So you are probably asking, “who sells that little?”. When tracking one of these exploit sells, it becomes apparent that this address never actually held any tokens at all! So that establishes this isn’t a front run bot, as front run bots purchase right before your transaction goes through to push the price higher and then sell to you.
We’ll use this specific address on your screen to illustrate and show the exploit: 0x35388c6aa5c958fd9c1265d3ff8e2b1ca38e556a. You can check the wallet balance or the BEP-20 transactions for yourself and see it show this address never held any of the token.
When you look a little deeper at the transaction hash, it becomes more clear that there was a sell that took place engaging with the token. Yet, it’s selling the token on the market to recoup some BNB. So, how did it sell something it never had?
This is hedge fund levels of graft. The exploit is hard to spot but we know that it uses the infamous Miner Extractable Value or MEV exploit and calls a function in the reflection token contract. With that said unless you are a trained blockchain coder you won’t be able to pull this off because you need to write a bot that executes the call in the contract and MEV exploit at the same time.
Take a look at these three transaction hashes showing other projects being exploited in this manner. You can clearly see that it has been targeted and engaged with.
When we explore the wallet address these exploits are tied to even further. We can see this is being done to several projects, snatching up small amounts of BNB. This all adds up in the end, and this is being done on a large scale to hundreds if not thousands of projects. Don’t miss the fact that Safemoon has ALREADY been exploited, with millions of dollars stolen, and it WILL happen again.
So what are other projects that are affected by this attack besides Safemoon? Here is a partial list:
Everrise, Poocoin, Safemars, Bonfire, Safe Shepherd, Apeswap, Dogefather, Elongate and several more we will have listed in the description. But as a rule of thumb, if the project has a built in reflection token or some kind of payback mechanism to hodlers, it is PROBABLY susceptible to this exploit.
While meme coins are fun, and I am not going to say that you can’t make money off of them because people have. Just like the lottery. But just because people win the lottery, doesn’t mean it’s sound financial practice. In fact…this IS financial advice: DON’T PLAY THE LOTTERY. Whew. I feel better. The fact is, these meme coins are 99% just pump and dumps and most serve no real purpose. Very few meme coins will be around in the future as they have no use case, they are just a fad and once that trend is over they will drop to 0 or close to it during the bear cycle. The other problem is that most are just forks of other coins. Which means that if the original contract or code is not audited and safe, the forked project will have the same issues. This is one reason that you shouldn’t just throw your money at random projects. The other reason is malicious contracts that will steal all of your funds in Metamask when you connect your wallet to their contract. But more on that in another video.
So how do projects fix their contracts and prevent this exploit from happening to their coin? The simple solution is to Blacklist the liquidity pair from the auto-reflection or auto-redistribution in the contract. However, there’s one key problem with many of these coins, the creators or founders including Safemoon have renounced ownership of the contract in good faith to appeal to the community as not being a rug pull. Although this is seen as a positive thing, by doing so, they have actually left themselves wide open for this attack and others which allows consistent sell pressure without a way to intervene. I hope this is a lesson for you all Safemoon and its forks with redistribution of rewards are anything but safe. A renounced contract is a dead contract. Please understand that when a contract is renounced, simple problems like this can never be fixed, leaving you as a pawn to the scammers. The other lesson here is NEVER trust something that has SAFE in its name. Once again thanks so much to Ceezee Safu and Satoshi Street Bets for working with us to get this information out to the public.
But that’s all I got. Be blessed. Bitboy out!