Meme Coin Launchpad Four.Meme Falls Victim to Another Exploit

DeFi hackers hit BNB Chain-based meme coin launchpad Four.Meme Tuesday morning, forcing the suspension of its token liquidity pool on PancakeSwap.

The attack was initially flagged by blockchain security firm SlowMist, which revealed the Four.Meme exploit was carried out using a vulnerability in the platform’s smart contract.

The attacker exploited a critical flaw in Four.Meme’s liquidity mechanism that enabled them to “bypass transfer restrictions and manipulate liquidity pool pricing,” smart contract audit firm QuillAudits told Decrypt.

This marks the second time in the last two months that Four.Meme has experienced an attack, which previously saw $183,000 stolen due to a different vulnerability that allowed a bad actor to manipulate liquidity on PancakeSwap.

How the exploit worked

On this occasion, the attacker first acquired a small amount of Four.Meme tokens before the official launch using the “0x7f79f6df” function.

“Instead of holding or transferring them traditionally, they sent the tokens to a non-existent PancakeSwap Pair address,” QuillAudits' report said.

Like many decentralized exchanges, PancakeSwap, which recently saw a surge in popularity, needs a special address (called a pair address) to match up the two tokens in a trading pair (for example, Four.Meme tokens and BNB).

Normally, this address is created when the tokens are launched and traded.

In this case, the attacker sent the tokens to an address that didn't exist yet—meaning the pair for the Four.Meme token on PancakeSwap hadn't been created.

Since the pair address didn’t yet exist, the attacker was able to create it themselves. By doing so, the attacker was able to add liquidity (tokens for trading) at an incorrect price, which let them manipulate the system and steal funds from the liquidity pool.

The hacker withdrew 69 BNB from a FixedFloat hot wallet “0x47…c95,” three days before the attack. They deployed multiple contracts to facilitate the attack.

The attacker then sent the stolen 67.3 BNB to one wallet address, “0x4c…805,” and 205 BNB to another, “0x88…456,” the report noted. The 205 BNB was then split and moved across four wallets.

Following the attack on the meme coin platform, the stolen funds of over $174k were moved across several wallets to obfuscate the trail.

The hacker then laundered the stolen funds through PancakeSwap’s $BROCCOLLI 3 contract, QuillAudits said.

A total of 192 WBNB was swapped and distributed across several PancakeSwap contracts, including PancakeSwap DCA 32 (0x77C1dF8...), PancakeSwap MuBrocolli (0xcaC54d89...), and others.

Four.Meme’s response

In response to the breach, Four.Meme halted the launch function and issued an emergency statement.

“We will compensate affected users and provide a damage submission form to collect relevant information,” the platform tweeted on Tuesday.

A few hours later, Four.Meme announced that operations had resumed after the platform had conducted security checks, asking affected users to file their claims.

Four.Meme's platform has seen a significant increase in activity since its creation, with a total of 74,607 unique tokens being launched on the platform, per data from Dune Analytics.

While the platform has taken steps to prevent future incidents, both attacks point to the ongoing risks facing decentralized platforms, especially those handling large amounts of liquidity in meme coin markets.

Last month, zkLend, a decentralized money lending platform on the Starknet blockchain, fell victim to a major attack, losing $9.5 million in crypto assets.

zkLend later offered the hacker a 10% bounty (around 3,300 ETH, worth approximately $8.78 million) in exchange for the return of the stolen funds.