On May 16 at 15:21 UTC, pump.fun, a meme coin creation platform in the Solana (SOL) ecosystem, was exploited. The incident resulted in losses of approximately 12,300 SOL (equivalent to approximately $2 million at current market prices).
The attackers manipulated the platform using Margin.fi’s flash loans to acquire SOL and purchase Pump.fun tokens without using their own funds. This recent exploit sent shockwaves through the cryptocurrency community.
From insiders to attackers: the Pump.fun security breach
The attacker, initially identified with the wallet address 7ihN8QaTfNoDTRTQGULCzbUT3PHwPDTu5Brcu4iT2paP, exploited Pump.fun by purchasing all tokens of new projects launched on the platform within minutes. This action pushed the bond curve to its limit.
In the decentralized finance (DeFi) sector, bonding curves are smart contracts that create token markets without relying on cryptocurrency exchanges. Therefore, as intended, the manipulation prevented the token from being listed on Raydium DEX, Solana’s decentralized exchange.
Read more: Top 5 Cryptocurrency Security Flaws and How to Avoid Them
In response to the attack, Pump.fun upgraded its contracts to prevent further exploitation. The team also paused transactions and assured users that the entire value of lock (TVL) of the protocol was safe.
“We are committed to ensuring the safety of our users and are cooperating with relevant parties, including law enforcement, to minimize harm.” decided.
Interestingly, the attacker was Jarrett, a former employee of Pump.fun, better known by his pseudonym STACCOverflow. Jarrett took to social media to express his dissatisfaction with the company and stated his intention to disrupt the platform.
“Horrible bosses who see a broken hand ask what happened and say it’s a glass table that caused the problem and say, ‘Are you okay with that table?’ “These are not the type of people you want as the face of blockchain.” Jarrett wrote after the attack.
He said he had a plan and wanted to “change the course of history.” Plus, he said he doesn’t have to worry about going to jail.
In a separate post, Jarrett also decided He said the loot will be distributed via airdrops to various communities, including Slerf, Stacc, Saga, and Risklol. His decision to do airdrops led some in the cryptocurrency community to dub him “Web3 Robinhood.”
Pump.fun released a postmortem about five hours after the initial announcement. They rearranged the contract and resumed trading with 0% commission for the next 7 days. They have also committed to seeding liquidity pools (LPs) for the affected coins to restore trading functionality.
Read more: Cryptocurrency Project Security: A Guide to Early Threat Detection
“Coins that reached 100% between 15:21 – 17:00 UTC are in limbo. This means that no one can trade the coins until LP is distributed to Raydium. To create a user pool, the Pump.fun team will seed LPs for each affected coin with an amount of SOL liquidity equal to or greater than the amount the coin had at 15:21 UTC within the next 24 hours. (…) Solana sh*tcoins are back and stronger than ever.” Pump.fun Team wrote.
Pump.fun has already claimed it has been returned, but the cryptocurrency community should remain vigilant. Some scammers are trying to take advantage of the incident by posing as the Pump.fun team and sharing malicious links purporting to be refund links.
disclaimer
In compliance with Trust Project guidelines, BeInCrypto is committed to unbiased and transparent reporting. These news articles aim to provide accurate and timely information. However, before making any decisions based on this content, readers are encouraged to check the facts and consult with experts. Our Terms of Use, Privacy Policy and Disclaimer have been updated.