Insider Attack Drains $2 Million from Solana’s Pump.fun Meme Coin Platform

On May 16, at 15:21 UTC, pump.fun, a meme coin creation platform in the Solana (SOL) ecosystem, was exploited. The incident resulted in a loss of approximately 12,300 SOL, worth nearly $2 million at current market prices.

The attacker manipulated the platform using flash loans from Margin.fi to obtain SOL and buy the pump.fun tokens without using their own funds. This recent exploitation has sent shockwaves through the crypto community.

From Insider to Attacker: The Pump.fun Security Breach

Initially identified by the wallet address 7ihN8QaTfNoDTRTQGULCzbUT3PHwPDTu5Brcu4iT2paP, the attacker exploited pump.fun by purchasing all the tokens of new projects launched on the platform within minutes. This action pushed the bonding curve to its limit.

In the decentralized finance (DeFi) sector, the bonding curve is a smart contract that creates a market for tokens without relying on crypto exchanges. Therefore, as intended, the manipulation prevented the tokens from listing on Raydium DEX, a decentralized exchange in Solana.

Read more: Top 5 Flaws in Crypto Security and How To Avoid Them

Flash Loan Exploitation by pump.fun’s Attacker. Source: Solscan

In response to the attack, pump.fun upgraded its contracts to prevent further exploitation. Furthermore, the team paused trading and assured users that the protocol’s total value locked (TVL) was safe.

“We are committed to ensuring the safety of our users and are cooperating with relevant parties, including law enforcement, to minimize the damage,” the team stated.

Interestingly, the attacker was a former employee of pump.fun—Jarrett, better known by the pseudonym STACCOverflow. Jarrett expressed his dissatisfaction with the company on social media, stating his intent to disrupt the platform.

“The kind of horrible bosses that witness you wreck your hand, ask you what happened, you said the glass table got you, and they go ‘is that table ok?’ is not the type of people you want front and center as the face of blockchain,” Jarrett wrote following the attack.

He clarified that he has a plan and wants to “change the course of history.” Moreover, he stated that he is not worried about going to jail.

In a separate post, Jarrett also stated that he would distribute his loot through an airdrop among various communities, including Slerf, Stacc, Saga, and Risklol. Due to his decision to do the airdrop, some in the crypto community have called him the “Web3 Robinhood.”

Around five hours after its initial announcement, pump.fun published a post-mortem. They redeployed contracts and resumed trading with 0% fees for the next seven days. They also committed to seeding liquidity pools (LPs) for affected coins to restore trading functionality.

Read more: Crypto Project Security: A Guide to Early Threat Detection

“Coins that reached 100% between 15:21 – 17:00 UTC are in limbo, meaning that no one can trade them until LPs are deployed for them on Raydium. To make users whole, the pump.fun team will seed the LPs for each affected coin with an equal or greater amount of SOL liquidity than the coin had at 15:21 UTC within the next 24 hours. […] Solana sh*tcoins are back, and greater than ever,” the pump.fun team wrote.

While pump.fun claimed it has already returned, the crypto community must remain vigilant. Some scammers try to take advantage of the incident by masquerading as the pump.fun team and sharing malicious links claiming to be reimbursement links.