The attacker who drained $8.9 million of Binance Coin (BNB) from SafeMoon has agreed to return 80% of the funds, according to an April 18 blockchain message from the SafeMoon team.
Breaking News: #SafeMoon has struck a deal with the “hacker”— SafeMoonSpidey.sfm ⎷ (@SafeMoonSpidey) April 18, 2023
80% LP return imminent.
20% bounty for “hacker”
And no charges pressed
Now, back to your regularly scheduled program. pic.twitter.com/x94fSb4EoP
SafeMoon is a decentralized finance (DeFi) protocol that runs on BNB Chain. It was hacked on March 28, resulting in a loss of 27,000 BNB, worth $8.9 million at the time.
On April 18, at 1:19 p.m. UTC, the SafeMoon Deployer account posted a transaction to the BNB network with the attacker’s address as the recipient. The transaction contained a coded message in 8-bit Unicode Transformation Format (UTF-8) that stated the following:
“SafeMoon has reached an agreement with the party currently holding the funds. Specifically, SafeMoon has agreed to accept 80 percent of the amount returned, with the other party retaining the balance as a bounty. SafeMoon has further agreed not to file any legal actions against them. After careful consideration of the circumstances, it is believed this is in the best interest of SafeMoon and the community.”
The coded message is the latest in a series of communications between the SafeMoon team and the attacker as the parties attempted to settle. On March 29, the attacker claimed they had drained the funds accidentally.
The team responded on the same day, asking the attacker to offer a Telegram handle where they could be contacted. The attacker did not provide a Telegram handle but did provide an anonymous Outlook email address instead. The team then stated, “Email message sent. 12:33 UTC.”
There was no further blockchain communication between the two sides until the April 18 message confirming that the agreement had been made.
Hacking DeFI protocols and negotiating to keep some funds has become common recently. On April 4, the Euler Finance attacker, who had previously drained over $196 million from Euler, issued an apology message and returned nearly all of the funds gained from the attack. On April 6, the exploiter who had drained $967,000 of crypto from Sentiment returned nearly 90% of it after the team agreed to let them keep the remaining amount.
Some Web3 developers have argued that bug bounties should be larger and development teams should be more diligent about paying them, as they allege this could motivate hackers to report bugs instead of exploiting them.