Key points:
- Pump.fun, a memecoin launcher on the Solana blockchain, reported a $1.9M loss due to an exploit by a former employee.
- The exploit involved manipulating a “bonding curve” contract and using flash loans, leading to the theft of 12,300K SOL tokens.
- The project has suspended trading, implemented security measures, and is collaborating with law enforcement to address the breach.
Pump.fun, a Meme Coin Launcher on Solana, Reports $1.9 Million Loss Due to Insider Exploit
On May 16, the team behind Pump.fun, a platform for creating meme coins on the Solana blockchain, announced a significant loss. They claimed that a former employee exploited a system vulnerability, resulting in the theft of $1.9 million, equivalent to 12,300 SOL.
Pump.fun Discloses Exploit Details Involving “Bonding Curve” Mechanism
In a post on X, Pump.fun explained that the ex-employee, abusing their privileged access, manipulated the protocol’s internal systems using flash loans and a “bonding curve” attack. The attacker exploited the bonding curve contract responsible for issuing joke coins, tricking it into accepting borrowed SOL tokens, which they repaid swiftly using a flash loan. This filled the bonding curves, falsely inflating the token values and allowing access to the bonding curve liquidity.
This exploit resulted in the theft of approximately $1.9 million worth of SOL from the total $45 million in liquidity within the bonding curve contracts. Pump.fun responded by deploying contract updates to prevent further theft and is actively collaborating with law enforcement and other relevant parties to address the exploit.
Platform Suspension and Impact on Users
Despite these protective measures, trading on Pump.fun remains suspended, preventing users from buying or selling coins. Additionally, the migration of coins to “Raydium,” a decentralized exchange on Solana, is indefinitely on hold. However, coins that successfully migrated and are locked as liquidity providers on Raydium remain secure.
Controversial User Takes Credit for Pump.fun Exploit
The individual behind the exploit, identified as Stacc on X, a former employee, took credit for the attack. Shortly after the exploit, Stacc posted a series of erratic tweets, expressing a desire to “change the course of history” and discussing personal struggles, including grief over their mother’s death. In these posts, Stacc explicitly claimed responsibility for the theft, indicating the act was motivated by emotional pain rather than financial gain.
Pump.fun has not officially confirmed or responded to Stacc’s claims, and the situation remains fluid, with potential developments expected.