Pump.fun, a meme coin launcher on the Solana blockchain, reported a $1.9 million loss due to an exploit by a former employee.
On May 16, the team behind Pump.fun launcher, a platform for creating meme coins on the Solana blockchain, made a startling claim.
They alleged that a former employee had exploited a vulnerability in their system, resulting in a loss of $1.9 million, or 12,300 SOL.
Meme coin Launcher Pump.fun Reveals Use of “Bonding Curve” in Exploit
Memecoin launcher Pump.fun revealed in a post on X that an ex-employee abused their “privileged position” to access a “withdraw authority” and compromise the protocol’s internal systems through flash loans and a “bonding curve” attack.
The project did not reveal the identity of the former employee.
https://t.co/uE2QNKXkIT coin migration issue post-mortem
TL;DR:
1. the https://t.co/uE2QNKXkIT contracts are safe. they have always been safe
2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)
3. https://t.co/uE2QNKXkIT is…— pump.fun (@pumpdotfun) May 16, 2024
The attacker tricked the bonding curve contract responsible for issuing joke coins on the Pump.fun protocol into accepting the SOL tokens they had borrowed and quickly repaid it using an exploit called “flash loan.” This led to the bonding curves filling up, making the tokens look valuable even though the value wasn’t created. This allowed them to access the bonding curve liquidity.
The #memecoin creation tool, https://t.co/4KIoywIc4k, claims a former employee exploited the firm for nearly $2 million 💸 through a "bonding curve" attack. #CryptoScam https://t.co/M2IHWoM1NV
— 1ATH.Studio (@1ATHStudio) May 17, 2024
The impact of this Pump.fun exploit led to the theft of approximately $1.9 million worth of SOL out of the total $45 million liquidity in the bonding curve contracts. Pump.fun swiftly implemented measures to protect its protocol, including deploying contract updates to prevent further funds theft by the attacker. Furthermore, the project actively collaborates with law enforcement and relevant parties to address the exploit.
We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.
We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.
We’ve paused trading — you…
— pump.fun (@pumpdotfun) May 16, 2024
Despite these efforts, trading on the platform remains suspended, impacting users’ ability to buy or sell coins. Additionally, coins migrating to “Raydium,” a decentralized exchange on Solana, have been on hold indefinitely. However, coins successfully migrated and locked as liquidity providers on Raydium are safe.
Controversial User Takes Credit for Pump.fun Exploit
The individual behind the Pump. The fun exploit has been exposed as Stacc on X, a former employee, who tweeted a series of erratic tweets just minutes after the attack.
In a revealing thread, Stacc boasts about his intention to change the “course of history” while openly discussing their mental health struggles and grief over their mother’s passing. Stacc also explicitly claims responsibility for the theft.
And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— 🔥🪂staccoverflow ; j'arrête ; (@STACCoverflow) May 16, 2024
Stacc’s post indicates a desire to express emotional pain rather than profit from the exploit. However, the situation remains fluid and could evolve at a moment’s notice. Memecoin launcher Pump.fun has not officially confirmed or responded to any of Stacc’s claims.