How Did an Ex-Employee Steal $2M from Pump.Fun Using Flash Loans?

The post How Did an Ex-Employee Steal $2M from Pump.Fun Using Flash Loans? appeared first on Coinpedia Fintech News

Pump.fun, a Solana-based platform for launching tokens, has suffered a major security breach, resulting in a loss of approximately $2 million. The attacker leveraged flash loans to exploit the platform’s bonding curve contracts, undermining the token launch mechanism. 

We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.

We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.

We’ve paused trading — you…

— pump.fun (@pumpdotfun) May 16, 2024

Flash loans allow users to borrow large amounts without collateral only if they return the funds within the same transaction. The attacker acquired enough SOL through this method to buy out the bonding curves for the meme coins of Pump. fun, which led to vast financial losses.

Security Measures and Trading Suspension

Following the attack, Pump.fun stopped all trading activities on the platform. The team stated:

“”We have stopped trading — you cannot buy and sell any coins. Any coins currently migrating to Raydium will not be able to be traded for an indefinite period.”

However, they assured the users that encrypted liquidity on Raydium was safe and unaffected. Moreover, Pump.fun contracts were updated to prevent any further exploitation. 

Who attacked Solana’s Pump.fun? 

The wallet address of the exploiter was identified as 7ihN8QaTfNoDTRTQGULCzbUT3PHwPDTu5Brcu4iT2paP, where the attacker purchased all tokens of the new projects quickly and pushed the bonding curve to its limit. Initially, an unidentified user called ‘Stacc’ has claimed responsibility for the attack in a series of posts who described it as an act of protest and not exactly a financial profit. 

Later, the attacker was identified as a former employee named Jarrett, known as STACCOverflow. He claimed that he was not satisfied with the company and that he aimed to disrupt the platform. In addition, Jarrett criticized the company on social media and stated his plan to change the course of history, clearing that imprisonment did not worry him. He also planned to distribute the funds he had stolen through an airdrop, thereby earning him the nickname “Web3 Robinhood.”

Pump.fun’s Response and Future Steps

https://t.co/uE2QNKXkIT coin migration issue post-mortem

TL;DR:

1. the https://t.co/uE2QNKXkIT contracts are safe. they have always been safe
2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)
3. https://t.co/uE2QNKXkIT is…

— pump.fun (@pumpdotfun) May 16, 2024

Pump.fun has assured us that their contracts have always been safe, and the attack resulted from a former employee misusing their privileged position. Currently, the platform is again back online and allows its users to launch new coins and trade any coins that didn’t reach 100% between 15:21 and 17:00 UTC. In addition, the coins that reached 100% during this period would be compensated to the users by relaunching on Raydium with at least 100% of its liquidity within the next 24 hours. Also, the good news for the users is, for the next seven days, the trading fees are reduced to 0%!

Currently, the Pump.the fun team is working together with top security experts to minimize this incident’s impact and to make sure that similar incidents are not repeated in the future. They expressed gratitude to their community for their trust and support during this challenging time, stating, “Solana shitcoins are back and greater than ever.”