An attacker discovered that anyone could call the burn function on the liquidity pool contract for the ShadowFi project. They were able to exploit this vulnerability by calling the burn function and then taking advantage of the price difference (based on the new circulating supply) to remove all 1078 BNB (~$298,000) in the project’s liquidity pool.The project had only just launched that same day, after running a presale of their SDF tokens. The project promised to allow people to “Take your spending away from the floodlights of surveillance capitalism” and apparently involves sending people prepaid Visa cards to help them cash out their cryptocurrency without connecting a bank account or providing KYC information.

Total loss estimated at $298,200.