Ad

Memecoin launcher pump.fun exploited for $1.9 million, ex-employee blamed

By:
on May 17, 2024
Listen
  • Former employee exploited pump.fun for nearly $2 million through a bonding curve attack.
  • The platform initially paused trading but resumed, assuring users of full liquidity recovery.
  • Attacker used flash loans on Raydium to steal approximately 12,300 SOL.

Follow Invezz on Telegram, Twitter, and Google News for instant updates >

Pump.fun, a Solana memecoin launch tool, alleged that a former employee exploited the protocol for nearly $2 million in a “bonding curve” attack. The ex-employee used a “privileged position” to access a “withdraw authority” and compromise the protocol’s internal systems, according to pump.fun’s May 16 X post.

Are you looking for signals & alerts from pro-traders? Sign-up to Invezz Signals™ for FREE. Takes 2 mins.

Approximately $1.9 million was stolen from the $45 million held in pump.fun’s bonding curve contracts. The platform paused trading temporarily but has since resumed operations. 

Pump.fun asserted that its smart contracts are still secure and that affected users would recover “100% of the liquidity” within the next 24 hours.

Former employee takes the blame

Copy link to section

Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested the hack resulted from an internal private key leak. He suspected X user “STACCoverflow” was behind the attack. 

STACCoverflow posted cryptic messages on X, stating they were “about to change the course of history” and “then rot in jail,” while also claiming to be “fully doxxed.”

Pump.fun has been collaborating with law enforcement but did not name the former employee involved.

The exploiter used flash loans on the Solana lending protocol Raydium to borrow Solana (SOL) tokens. These tokens were then used to buy pump.fun’s meme coins. 

Once the coins reached 100% on their bonding curves, the exploiter accessed the bonding curve liquidity to repay the flash loans. Between 3:21 pm and 5:00 pm UTC on May 16, approximately 12,300 SOL, valued at $1.9 million, was stolen.

Gotbit Hedge Fund initially flagged concerns about the attack on social media. They noted a wallet buying all tokens on pump.fun within minutes to fill the bonding curve to 100%. This caused Raydium listings to become stuck.

As of now, pump.fun assures that users affected during the specified hours will recover 100% or more of the liquidity held prior to the attack.

This is hardly the only exploit in recent times. Just a day before, the lending protocol for Sonne Finance was hacked for $20 million. The attacker got away with $20 million in crypto assets by exploiting a vulnerability in the second version of the Compound platform.

Crypto Crypto crime