Pump.fun Accuses Former Employee of $1.9M Exploit

Last Updated on May 17, 2024

Fleming Headshot
Written by

Key Takeaways:

  • Pump.fun assures users that its smart contracts are secure and pledges to return 100% of the stolen liquidity within 24 hours.
  • A former employee exploited Pump.fun’s systems, stealing approximately $1.9 million via a bonding curve attack.
  • The platform is collaborating with law enforcement, and trading has resumed after a temporary pause.

Pump.fun announced that its smart contracts remain secure and that affected users will receive “100% of the liquidity” they previously held within the next 24 hours.

Solana memecoin creation platform pump.fun has accused a former employee of exploiting the company for nearly $2 million via a “bonding curve” attack.

The ex-employee allegedly used their “privileged position” to access a “withdraw authority” and compromise the platform’s internal systems, according to a May 16 post on X.

Approximately $1.9 million was stolen from the $45 million held in pump.fun’s bonding curve contracts.

Trading was temporarily paused but has since resumed.

Pump.fun assured users that its smart contracts are safe and pledged that impacted users will receive “100% of the liquidity” they previously had within 24 hours.

Prior to pump.fun’s announcement, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested the hack resulted from an internal private key leak, allegedly linked to X user “STACCoverflow.”

In cryptic posts, STACCoverflow claimed they were “about to change the course of history” and were indifferent to the consequences, stating, “I do not care, I am already fully doxxed.

Pump.fun has been working with law enforcement but has not named the former employee and did not respond immediately to requests for comment.

The alleged exploiter utilized flash loans on the Solana lending protocol Raydium to borrow Solana’s SOL tokens, which were then used to “buy as many coins” as possible.

Once the coins reached 100% on their respective bonding curves, the exploiter accessed the bonding curve liquidity to repay the flash loans.

Approximately 12,300 SOL, worth $1.9 million, was stolen in the attack, which occurred between 3:21 pm and 5:00 pm UTC on May 16.

Pump.fun has stated that users affected during these hours will recover 100% or more of the liquidity held before the attack.

About The Author

Fleming Headshot
Written by

News Reporter

Fleming Airunugba, a seasoned Web3 and crypto content expert, leverages his deep understanding of blockchain technology to bring the latest and most impactful news to the crypto community.

With a knack for engaging storytelling and strategic content creation, Fleming is dedicated to educating and inspiring his audience with insightful analysis on cryptocurrencies, NFTs, and the future of digital finance.

Check Fleming out on: