DeFiDeFi hackers hit BNB Chain-based meme coin launchpad Four.Meme Tuesday morning, forcing the suspension of its token liquidity pool on PancakeSwap.
The attack was initially flagged by blockchain security firm SlowMist, which revealed the Four.Meme exploit was carried out using a vulnerability in the platform’s smart contract.
🚨SlowMist Security Alert🚨
The attacker purchased a small amount of tokens before launch through the 0x7f79f6df function of @four_meme_, and used this feature to send tokens to a specified PancakeSwap Pair address that had not yet been created.
The attacker exploited a critical flaw in Four.Meme’s liquidity mechanism that enabled them to “bypass transfer restrictions and manipulate liquidity pool pricing,” smart contractsmart contract audit firm QuillAudits told Decrypt.
This marks the second time in the last two months that Four.Meme has experienced an attack, which previously saw $183,000 stolen due to a different vulnerability that allowed a bad actor to manipulate liquidity on PancakeSwap.
How the exploit worked
On this occasion, the attacker first acquired a small amount of Four.Meme tokens before the official launch using the “0x7f79f6df” function.
“Instead of holding or transferring them traditionally, they sent the tokens to a non-existent PancakeSwap Pair address,” QuillAudits' report said.
Like many decentralized exchangesdecentralized exchanges, PancakeSwap, which recently saw a surge in popularity, needs a special address (called a pair address) to match up the two tokens in a trading pair (for example, Four.Meme tokens and BNB).
PancakeSwap, a decentralized exchange on Binance Smart Chain, has the largest trading volume over the past 24 hours—beating even Ethereum-based competitor Uniswap.
And according to CoinGecko, all that volume has sent the price of its CAKE token surging as much as 40% in the past day. This comes after Binance delisted Tether from its centralized exchange, prompting an increase in Tether volume on PancakeSwap, and an unrelated surge of interest in meme coins on Binance Smart Chain.
CAKE is up 37%...
Normally, this address is created when the tokens are launched and traded.
In this case, the attacker sent the tokens to an address that didn't exist yet—meaning the pair for the Four.Meme token on PancakeSwap hadn't been created.
Since the pair address didn’t yet exist, the attacker was able to create it themselves. By doing so, the attacker was able to add liquidity (tokens for trading) at an incorrect price, which let them manipulate the system and steal funds from the liquidity pool.
The hacker withdrew 69 BNB from a FixedFloat hot wallet “0x47…c95,” three days before the attack. They deployed multiple contracts to facilitate the attack.
The attacker then sent the stolen 67.3 BNB to one wallet address, “0x4c…805,” and 205 BNB to another, “0x88…456,” the report noted. The 205 BNB was then split and moved across four wallets.
Following the attack on the meme coin platform, the stolen funds of over $174k were moved across several wallets to obfuscate the trail.
The hacker then laundered the stolen funds through PancakeSwap’s $BROCCOLLI 3 contract, QuillAudits said.
A total of 192 WBNB was swapped and distributed across several PancakeSwap contracts, including PancakeSwap DCA 32 (0x77C1dF8...), PancakeSwap MuBrocolli (0xcaC54d89...), and others.
Four.Meme’s response
In response to the breach, Four.Meme halted the launch function and issued an emergency statement.
“We will compensate affected users and provide a damage submission form to collect relevant information,” the platform tweeted on Tuesday.
Currently, https://t.co/IRnIR1BwDd is under attack, and the launch function has been suspended for emergency investigation.
We will compensate affected users and provide a damage submission form to collect relevant information.
A few hours later, Four.Meme announced that operations had resumed after the platform had conducted security checks, asking affected users to file their claims.
Four.Meme's platform has seen a significant increase in activity since its creation, with a total of 74,607 unique tokens being launched on the platform, per data from Dune Analytics.
While the platform has taken steps to prevent future incidents, both attacks point to the ongoing risks facing decentralized platforms, especially those handling large amounts of liquidity in meme coin markets.
Last month, zkLend, a decentralized money lending platform on the Starknet blockchain, fell victim to a major attack, losing $9.5 million in crypto assets.
zkLend later offered the hacker a 10% bounty (around 3,300 ETH, worth approximately $8.78 million) in exchange for the return of the stolen funds.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Curve Finance founder Michael Egorov told Decrypt that "for-hire" hackers are coordinating cross-platform attacks, making it increasingly difficult to secure DeFi projects.
One example is the DNS attack on Curve Finance last month. The decentralized finance protocol's front-end website was compromised, allowing attackers to redirect users to a malicious site.
"Different hackers could coordinate efforts across platforms, compromising them at the same time for greater impact and profit," Egorov to...
HYPE, the native token of Hyperliquid, was a standout performer among altcoins in May, as traders flocked to the decentralized exchange’s perpetual futures offering, according to a report published by asset manager Grayscale on Monday.
HYPE was recently changing hands around $37.72, a 14% increase over the past day, according to crypto data provider CoinGecko. Over the past 30 days, the token’s price has soared 80%. HYPE reached an all-time high of $39.68 just over a week ago.
“Hyperliquid has s...
Publicly traded real estate tech company DeFi Development Corporation further intensified its rapidly growing commitment to Solana with the creation of a liquid staking token alongside a collaboration with Kamino Finance, a leading DeFI protocol in Solana’s ecosystem.
The liquid staking token or LST, called dfdvSOL—which was created with LST platform Sanctum—allows users staking Solana (SOL) via the DeFi Development Corp. validator group to maintain liquidity while their native Solana tokens ar...
