Flash Loan Attack Drains $2M from Solana-Based Pump Fun

Pump.Fun, a Solana-based platform for launching tokens, has been exploited, resulting in a loss of about $2 million.

The attacker used flash loans to the platform’s bonding curve contracts, thus undermining the token launch mechanism. 

Exploitation of Pump.fun Bonding Curve

The attacker exploited Pump.Fun’s bonding curve contracts with the help of flash loans, a method that allows borrowers to borrow large sums of money without any collateral on condition they return it within one transaction. By leveraging these flash loans, the attacker was able to acquire enough SOL to buy out the bonding curves for Pump.fun memecoins, leading to financial losses for the platform. 

https://t.co/oZFiUGCehw

— Igor Igamberdiev (@FrankResearcher) May 16, 2024

Igor Igamberdiev, the head of research at Wintermute, says that they lost nearly 12,300 SOL, which is about $2 million.

Pump.fun, consequently, acknowledged the breach in a social media post on X (formerly Twitter), stating,

“We know that the Pump.fun bonding curve contracts have been compromised, and we are investigating the matter.”

The team, in addition, assured users that they had updated their contracts to prevent further exploitation and that TVL and connected wallets remain safe.

Security Measures and Trading Suspension

In response to the attack, Pump.fun has paused all trading activities on the platform. As a result, the team said,

“We have stopped trading — you cannot buy and sell any coins. Any coins that are currently in the process of migrating to Raydium will not be able to be traded and they won’t for an indefinite period.”

They stressed that encrypted liquidity on Raydium is safe and unaffected by this exploit.

The Pump.fun team is working with law enforcement and other parties to investigate the breach and find out who did it. The event has led to the debate about whether a private key compromise could be behind it, although this is only speculative. Igamberdiev hinted that it could have been an inside job, judging by the way the exploit was executed.

Attacker Identified as ‘Stacc’

A social media user named ‘Stacc’ has admitted to the exploit. In a series of posts, Stacc depicted the assault as an action of protest rather than a way to make money. He hinted at his troubles and the fact that he had recently lost his mother, thus implying that what made him act was emotional distress.

” I’m going to be the one that will change the course of history,” he wrote, thus showing his determination to disrupt the memecoin space on Solana.

Stacc’s intentions are multiple. He did not show any intention to make money out of the stolen funds. On the other hand, he proposed moving the rest of the bonding curve balances to different token users. This, in turn, has made the situation even more complicated because of the uncertainty about where and how such assets will be discovered and recovered.

Overview of Pump.fun’s Operations

Pump.Fun is made to facilitate the process of making and releasing new tokens on the Solana blockchain. The platform’s special feature lies in the fact that it prevents ‘rug pulls’ by guaranteeing the safety of all created tokens, with no presale or team allocation.

The users can mint new tokens for a small fee and trade them on the bonding curve, which determines the price of the token based on its supply.

The platform has become quite popular, and it registered the highest daily revenue of $1. 23 million on May 14, just two days before the exploit. Pump.Fun charges users almost 0. 02 SOL (approximately $3. 16 at the current prices) to mint a new token.

Tokens that hit the $69,000 market cap are then deposited by a worth of $12,000 liquidity onto Raydium, which is a Solana-based decentralized exchange, before they are burned. 

Read Also: GameStop (GME) Down 30%, What Happened To The Meme Stock Frenzy?

The post Flash Loan Attack Drains $2M from Solana-Based Pump Fun appeared first on CoinGape.