Pump.fun, a Solana-based platform for launching memecoins, recently suffered a major security breach resulting in a loss of approximately $1.9 million. The platform has alleged that a former employee, identified as “Jarrett” or “STACCoverflow,” was responsible for the exploit.
TLDR
- Solana memecoin creation tool pump.fun was exploited for nearly $2 million through a “bonding curve” attack.
- The platform claimed a former employee, identified as “Jarrett” or “STACCoverflow,” was responsible for the exploit.
- The ex-employee used flash loans on Raydium to borrow Solana (SOL) tokens, which were then used to buy memecoins on pump.fun and manipulate the bonding curves.
- Pump.fun temporarily paused trading but has since resumed operations, assuring users that their smart contracts are safe and affected users will receive full compensation.
- The platform is collaborating with law enforcement and security experts to minimize the impact of the incident and prevent similar attacks in the future.
According to pump.fun, the ex-employee used their “privileged position” to access a “withdraw authority” and compromise the protocol’s internal systems.
The attacker then employed a “bonding curve” attack, utilizing flash loans on the Solana lending protocol Raydium to borrow Solana (SOL) tokens. These tokens were subsequently used to purchase memecoins on pump.fun, pushing the bonding curves to their limits.
https://t.co/uE2QNKXkIT coin migration issue post-mortem
TL;DR:
1. the https://t.co/uE2QNKXkIT contracts are safe. they have always been safe
2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)
3. https://t.co/uE2QNKXkIT is…— pump.fun (@pumpdotfun) May 16, 2024
Once the coins reached 100% on their respective bonding curves, the exploiter was able to access the bonding curve liquidity and repay the flash loans.
The attack occurred between 3:21 pm and 5:00 pm UTC on May 16, resulting in the theft of approximately 12,300 SOL, valued at $1.9 million.
In response to the incident, pump.fun temporarily suspended trading on the platform. However, they have since resumed operations, assuring users that their smart contracts remain secure and unaffected by the exploit. The platform has also committed to fully compensating users who were impacted by the attack within the next 24 hours.
The alleged attacker, “Jarrett” or “STACCoverflow,” made several cryptic posts on social media, claiming to be “fully doxxed” and expressing a willingness to “rot in jail” for their actions.
And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— ????????staccoverflow ; j'arrête ; (@STACCoverflow) May 16, 2024
The individual appeared to frame the exploit as an act of protest against the company rather than a purely financial gain.
Pump.fun has stated that they are collaborating with law enforcement and top security experts to minimize the impact of the incident and prevent similar attacks in the future.
The platform has also expressed gratitude to its community for their trust and support during this challenging time.
