Meme coin Launcher Pump.fun Alleges Former Employee Caused $1.9M Exploit

Why Trust Techopedia
Key Takeaways

  • Pump.fun, a memecoin launcher on the Solana blockchain, reported a $1.9M loss due to an exploit by a former employee.
  • The exploit involved manipulating a "bonding curve" contract and using flash loans, leading to the theft of 12,300K SOL tokens.
  • The project has suspended trading, implemented security measures, and is collaborating with law enforcement to address the breach.

Pump.fun, a meme coin launcher on the Solana blockchain, reported a $1.9 million loss due to an exploit by a former employee.

On May 16, the team behind Pump.fun launcher, a platform for creating meme coins on the Solana blockchain, made a startling claim.

They alleged that a former employee had exploited a vulnerability in their system, resulting in a loss of $1.9 million, or 12,300 SOL.

Meme coin Launcher Pump.fun Reveals Use of “Bonding Curve” in Exploit

Memecoin launcher Pump.fun revealed in a post on X that an ex-employee abused their “privileged position” to access a “withdraw authority” and compromise the protocol’s internal systems through flash loans and a “bonding curve” attack.

The project did not reveal the identity of the former employee.

The attacker tricked the bonding curve contract responsible for issuing joke coins on the Pump.fun protocol into accepting the SOL tokens they had borrowed and quickly repaid it using an exploit called “flash loan.” This led to the bonding curves filling up, making the tokens look valuable even though the value wasn’t created. This allowed them to access the bonding curve liquidity.

The impact of this Pump.fun exploit led to the theft of approximately $1.9 million worth of SOL out of the total $45 million liquidity in the bonding curve contracts. Pump.fun swiftly implemented measures to protect its protocol, including deploying contract updates to prevent further funds theft by the attacker. Furthermore, the project actively collaborates with law enforcement and relevant parties to address the exploit.

Despite these efforts, trading on the platform remains suspended, impacting users’ ability to buy or sell coins. Additionally, coins migrating to “Raydium,” a decentralized exchange on Solana, have been on hold indefinitely. However, coins successfully migrated and locked as liquidity providers on Raydium are safe.

Controversial User Takes Credit for Pump.fun Exploit

The individual behind the Pump. The fun exploit has been exposed as Stacc on X, a former employee, who tweeted a series of erratic tweets just minutes after the attack.

In a revealing thread, Stacc boasts about his intention to change the “course of history” while openly discussing their mental health struggles and grief over their mother’s passing. Stacc also explicitly claims responsibility for the theft.

Stacc’s post indicates a desire to express emotional pain rather than profit from the exploit. However, the situation remains fluid and could evolve at a moment’s notice. Memecoin launcher Pump.fun has not officially confirmed or responded to any of Stacc’s claims.