Pump.fun hacked, $1.9 million stolen

Source: CoinTelegraph, Twitter @pumpdotfun; Compiled by Deng Tong, Golden Finance

Solana memecoin creation tool Pump.fun claims that a former employee profited nearly $2 million from the company through a "bonding curve" attack.

Pump.fun claimed in a May 16 post that the former employee used his "privileged position" to gain "withdrawal privileges" and compromised the protocol's internal systems.

About $1.9 million of the total $45 million held in Pump.fun's bonding curve contract was stolen.

The platform temporarily suspended trading but has now resumed normal operations.

Pump.fun said that the pump.fun smart contract "is safe" and that users affected by the incident will receive "100% of the liquidity" they previously had within the next 24 hours.

pump.fun posted the following on social media:

1. The http://pump.fun contract is safe and has always been safe.

2. A former employee used his privileged position at the company to embezzle approximately 12,300 SOL (approximately $1.9 million).

3. http://pump.fun is back online. You can issue new tokens and trade any tokens that have not reached 100% between 15:21-17:00 UTC.

4. To ensure complete user liquidity, any token that reaches 100% between 15:21-17:00 UTC will be listed on raydium and will have >= 100% of the previously held liquidity for the next 24 hours.

5. 0% trading fees for the next 7 days.

Here is a detailed rundown of what happened:

At 15:21 UTC, a former employee used his privileged position at the company to illegally gain withdrawal privileges, using a flash loan on the Solana lending protocol to:

1. Borrow SOL;

2. Use that SOL to buy as many tokens as possible so that those tokens reach 100% on their respective bonding curves;

3. Once those tokens reach 100%, they will have access to bonding curves liquidity;

4. Repay the flash loan.

As of 17:00 UTC, all trading on http://pump.fun has been halted. Of the $45 million in liquidity on the bonding curves contract, only ~$1.9 million was affected.

Next Steps

• The http://pump.fun team has redeployed the contract. Trading is live again with 0% trading fees for the next 7 days. You can safely create tokens and buy and sell them;

• 100% of the tokens that reached between 15:21-17:00 UTC are in limbo, meaning no one can trade them until LPs are deployed for them on Raydium;

• In order to make users whole, the http://pump.fun team will seed LPs for each affected token over the next 24 hours with an amount of SOL liquidity equal to or greater than the liquidity of that token at 15:21 UTC.

Please be patient as we aim to restore trading of these tokens in a secure and structured manner.

We have been working with some of the most respected security folks in the space to not only minimize the impact of this situation, but to ensure that it never happens in the future.

Thank you to everyone who reached out, and the best community in the space for trusting us.

Solana altcoin is back and stronger than ever.

Prior to Pump.fun’s post, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, claimed the hack stemmed from an internal private key leak, which he suspected was caused by X user “STACCoverflow.”

In a series of cryptic X posts, STACoverflow claimed they were “about to change the course of history. n [sic] and then rot in jail.” They added in another post, “Don’t care, I’ve been completely doxed.”

In previous X posts, pump.fun said it had been cooperating with law enforcement. The company did not name the former employee and did not immediately respond to a request for comment.

How the hack unfolded

Pump.fun said the alleged exploiter used a flash loan on Solana’s lending protocol Raydium to borrow Solana, then used the money to “buy as many tokens as possible.”

Once the tokens reached 100% on their respective bonding curves, the exploiter could then take the bonding curve liquidity and repay the flash loan.

Pump.fun said the attack took place between 3:21pm and 5:00pm UTC on May 16, and that approximately 12,300 SOL, worth $1.9 million, was stolen.

The Solana memecoin launchpad said affected users during those time periods would recover 100% or more of the liquidity they held before the attack.