Former Employee Steals $2M from Pump.Fun Using Flash Loans: Unveiling the Method
Pump.fun, a platform built on Solana blockchain for token launches, has experienced a major security breach resulting in a loss of approximately $2 million. The attacker took advantage of flash loans to exploit the platform’s bonding curve contracts, which disrupted the token launch mechanism.
The team at Pump.fun became aware of the compromised bonding curve contracts and immediately launched an investigation into the matter. They have since upgraded the contracts to prevent any further funds from being siphoned by the attacker. As of now, the total value locked (TVL) in the protocol remains secure.
Flash loans enable users to borrow large sums of money without the need for collateral, as long as the funds are returned within the same transaction. In this case, the attacker used this method to acquire enough SOL to buy out the bonding curves for Pump.fun’s meme coins, resulting in significant financial losses.
In response to the security breach, Pump.fun has halted all trading activities on the platform. They have emphasized that users will not be able to buy or sell any coins during this period, and any coins in the process of migrating to Raydium will also be temporarily unavailable for trading.
However, the team has assured users that the encrypted liquidity on Raydium remains safe and unaffected. They have also taken steps to update the Pump.fun contracts to prevent any further exploitation.
The attacker behind the Pump.fun breach was initially identified by the wallet address 7ihN8QaTfNoDTRTQGULCzbUT3PHwPDTu5Brcu4iT2paP. This individual quickly purchased all tokens of the new projects and pushed the bonding curve to its limits. Initially, an unidentified user called ‘Stacc’ claimed responsibility for the attack, describing it as a form of protest rather than a pursuit of financial gain.
However, it was later revealed that the attacker was a former employee named Jarrett, also known as STACCOverflow. Jarrett expressed his dissatisfaction with the company and aimed to disrupt the platform. He publicly criticized Pump.fun on social media and declared his intention to redistribute the stolen funds through an airdrop, earning him the moniker “Web3 Robinhood.”
Pump.fun has responded to the breach by conducting a post-mortem analysis of the coin migration issue. They have assured users that the contracts themselves have always been secure and that the attack was facilitated by a former employee misusing their privileged position. The platform is now back online, allowing users to launch new coins and trade coins that did not reach 100% between specific time frames.
To compensate users, coins that reached 100% during the affected period will be relaunched on Raydium with at least 100% liquidity within the next 24 hours. Additionally, trading fees will be reduced to 0% for the next seven days, providing some relief to the community.
Pump.fun is actively working with top security experts to minimize the impact of this incident and prevent similar occurrences in the future. They extend their gratitude to the community for their trust and support during this challenging time, asserting that Solana shitcoins are back and better than ever.