Solana Token Launcher pump.fun Former Employee behind $1.9 Million Exploit

2024-05-17 by Ndaman Olayinka 6 minutes read
Solana Token Launcher pump.fun Former Employee behind $1.9 Million Exploit

pump.fun, the popular tool for launching meme coins on Solana, has identified a former employee behind the $1.9 million exploit.

We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.

We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe. 

We’ve paused trading — you…

— pump.fun (@pumpdotfun) May 16, 2024

On Thursday, the firm suffered an exploit for nearly $2 million through a “bonding curve” attack that left the protocol compromised, which prompted the platform to temporarily shut down the site for trading, but it is now back live and its contracts remain safe.

pump.fun posted on X (formerly known as Twitter) a detailed explanation of what happened. “At 15:21 UTC, an ex-employee, using their privileged position at the company, illegitimately took access to the withdraw authority, using flash loans on a Solana lending protocol to repay flash loans, borrow SOL, use the SOL to buy up as many coins as they could so these coins hit 100% on their respective bonding curves, and once these coins hit 100%, gain access to the bonding curve liquidity.”

The post-mortem further stated that at 17:00 UTC, all trading on the platform was stopped, and out of a total of $45 million of liquidity in the bonding curve contracts, only 12,300 SOL was affected, which is approximately $1.9 million.

The pump.fun team added that the next step is to redeploy the contracts as trading is live again with 0% trading fees for the next seven days, and users can safely create coins and buy and sell them. Also, coins that reached 100% between 15:21 and 17:00 UTC cannot be traded until LPs are deployed for them on the Raydium.

Within the next 24 hours, the pump.fun team will seed the LPs for each affected coin with an amount of SOL liquidity equal to or greater than what the coin had at 15:21 UTC in order to make users whole, the firm added.

Meanwhile, X user @STACCoverflow, who claims to be a former employee of pump.fun, admitted to being the one behind the executed exploit. As seen on the user timeline, the stolen funds were airdropped to random wallet addresses by the attacker. After that, Stacc started retweeting posts from grateful cryptocurrency users who said they had received some of the money distributed via the attacker's airdrops.

During a Twitter Space on Thursday afternoon, Stacc revealed that he had worked for pump.fun for a few weeks and felt the company was “horribly managed,” and he had “personal grievances'' against the company’s leadership, whom he described as “not the type of people you want front and center as the face of blockchain.”

He replied to the question extraordinarily bluntly when asked why he committed the theft, stating, “I just kind of wanted to kill pump.fun because it’s something to do,” he said. “It’s inadvertently hurting people for a long time.”

In addition, on Thursday night, the user created the Flash Stacc attack (FSA), a Solana-based memecoin that was inspired by the exploit. According to DEX Screener, the memecoin has a market capitalization of approximately $271,000 as of the time of writing.

In related news reported earlier by whaleinsider.news, Sonne Finance exploited for $20 Million on optimism with known donation attack.

Disclaimer: This information should not be considered financial advice by any means. Please do your own research before making any investment decisions. The views in the articles are personal opinions only. Whale Insider is not responsible for any financial losses incurred.