Pump.fun Links $1.9M Exploit to Former Employee

• Pump.fun, a Solana-based memecoin launchpad identifies the recent exploit’s attacker.
• The Pump.fun team to seed LPs for affected coins.

Pump.fun, a Solana-based token launching platform, suffered an exploit on May 16. According to a post-mortem report on its X account, it identified the exploit to be executed by a former employee who illegitimately gained access to the withdrawal authority by misusing the privileged position.  

The exploit which occurred at 15.17 UTC the previous day, caused a $1.9M loss to the platform and halted trading as bond curves had reached 100% for most coins. Pump.fun stated that it will compensate Liquidity Protocols for every coin and users’ losses. 

How Did the Pump.fun Exploit Happen

Pump.fun allows users to mint tokens with minimal fees, within a few dollars. Launched in 2023, Pump.fun protects user funds and prevents rugs by prohibiting pre-sale or team allocation for the created tokens. 

The exploit occurred when the former employee gained access to admin privileges. The ex-employee, after gaining access, used flash loans to buy as many coins as required to push the bonding curves to hit 100%. Once it hit the cent value they utilised it to gain access to bonding curve liquidity. 

Furthermore, the liquidated funds were in turn used to pay off the flash loans. The funds lost were 12,300 SOL which amounts to approximately $2M. The loss comprised 4% of the total 45M liquidity available in bond curve contracts. 

Moreover, an X account with the username ‘Staac’, who might be the ex-employee, posted a thread claiming the attack. They stated it to be a ‘robbery’ and indicated their former employers as “not the type of ppl you want front n center as the face of blockchain”. Lookonchain reported that the attacker has released a meme coin capitalising on the attack. 

Additionally, Pump.fun has described the measures taken to reprimand the exploit’s losses. They assured the users of funds safety and announced zero trading fees for the next seven days. The team will seed the LPs for all affected coins that reached 100% and will make them available for trading within the next 24 hours.   

Highlighted Crypto News Today: 

Senate Votes 60-38 to Overturn SEC Crypto Policy, Biden Opposed