Key Takeaways:
- Pump.fun assures users that its smart contracts are secure and pledges to return 100% of the stolen liquidity within 24 hours.
- A former employee exploited Pump.fun’s systems, stealing approximately $1.9 million via a bonding curve attack.
- The platform is collaborating with law enforcement, and trading has resumed after a temporary pause.
Pump.fun announced that its smart contracts remain secure and that affected users will receive “100% of the liquidity” they previously held within the next 24 hours.
Solana memecoin creation platform pump.fun has accused a former employee of exploiting the company for nearly $2 million via a “bonding curve” attack.
https://t.co/uE2QNKXkIT coin migration issue post-mortem
— pump.fun (@pumpdotfun) May 16, 2024
TL;DR:
1. the https://t.co/uE2QNKXkIT contracts are safe. they have always been safe
2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)
3. https://t.co/uE2QNKXkIT is…
The ex-employee allegedly used their “privileged position” to access a “withdraw authority” and compromise the platform’s internal systems, according to a May 16 post on X.
Approximately $1.9 million was stolen from the $45 million held in pump.fun’s bonding curve contracts.
Trading was temporarily paused but has since resumed.
https://t.co/MWMKaMgjN7 identifies $1.9 million exploiter as former employee in post mortem https://t.co/dZl1T6Mso4
— The Block (@TheBlock__) May 17, 2024
Pump.fun assured users that its smart contracts are safe and pledged that impacted users will receive “100% of the liquidity” they previously had within 24 hours.
Prior to pump.fun’s announcement, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested the hack resulted from an internal private key leak, allegedly linked to X user “STACCoverflow.”
1/6
— Igor Igamberdiev (@FrankResearcher) May 16, 2024
It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakage
So let me share evidence of it👇https://t.co/yuuKYkamfZ
In cryptic posts, STACCoverflow claimed they were “about to change the course of history” and were indifferent to the consequences, stating, “I do not care, I am already fully doxxed.“
And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— 🔥🪂staccoverflow ; j'arrête ; (@STACCoverflow) May 16, 2024
Pump.fun has been working with law enforcement but has not named the former employee and did not respond immediately to requests for comment.
The alleged exploiter utilized flash loans on the Solana lending protocol Raydium to borrow Solana’s SOL tokens, which were then used to “buy as many coins” as possible.
We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.
— pump.fun (@pumpdotfun) May 16, 2024
We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.
We’ve paused trading — you…
Once the coins reached 100% on their respective bonding curves, the exploiter accessed the bonding curve liquidity to repay the flash loans.
Approximately 12,300 SOL, worth $1.9 million, was stolen in the attack, which occurred between 3:21 pm and 5:00 pm UTC on May 16.
Pump.fun has stated that users affected during these hours will recover 100% or more of the liquidity held before the attack.
About The Author
Fleming Airunugba, a seasoned Web3 and crypto content expert, leverages his deep understanding of blockchain technology to bring the latest and most impactful news to the crypto community.
With a knack for engaging storytelling and strategic content creation, Fleming is dedicated to educating and inspiring his audience with insightful analysis on cryptocurrencies, NFTs, and the future of digital finance.
Check Fleming out on: