Solana token launcher Pump.fun suffers flash loan exploit

Quick Take

  • The exploiter seems to be using flash loans to get enough SOL to buy out Pump.fun memecoin bonding curves. 

Pump.fun, a Solana-based platform that streamlines token launches, appears to have been exploited. 

The exploiter seems to be using flash loans to get enough SOL to buy out the bonding curve for Pump.fun memecoins, resulting in about $2 million lost. The situation is developing, and The Block reached out to the project's team for comment. 

"We are aware that the Pump.fun bonding curve contracts have been compromised and are investigating the matter," the project wrote on the social media platform X.

Pump.fun added that it has updated its contracts to prevent the attacker from draining more funds, and the protocol's total value locked and wallets connected to the platform are safe. It is cooperating with law enforcement and "relevant parties" about the matter.

"We’ve paused trading — you cannot buy and sell any coins at the moment," Pump.fun continued. "Any coins that are currently in the process of migrating to Raydium cannot be traded and will not be migrating for an indefinite period of time. Any coins that have made it off the Pump.fun bonding curve contracts with locked LPs on Raydium are safe."

What happened

The platform lost around 12,300 SOL, worth around $2 million, through the incident, notes Wintermute Head of Research Igor Igamberdiev on X. He adds that Pump.fun also may have experienced a private key compromise, aiding the loss of assets. 

Someone has taken credit for the exploit, a social media user who goes by Stacc. In a Thursday social media post, Stacc mentioned that he has engaged in a robbery, though alluded to poor mental health, and that he wishes for his mom to be raised from the dead. 

"From his tweet regarding the passing of his mother, where he details the exploit, it seems like he doesn't plan to make any money from this and it's more so a display of his aggression and sadness but that could swiftly change," an X user who goes by SOLCircle told The Block. "He could make a big disruption to the memecoin space on Solana as Pump.fun is one of it's biggest assets."

How Pump.fun works

Pump.fun "prevents rugs by making sure that all created tokens are safe," the platform wrote on its website, adding that each new coin has no presale or team allocation. Pump allows users to mint new tokens for only a few dollars. Users pick a token and then buy it on a bonding curve. They can sell their token holdings to seal their profit or losses. A token reaching a market capitalization of $69,000 spurs $12,000 of the token's liquidity to get deposited onto Raydium, a Solana-based decentralized exchange, before getting burned. A bonding curve is a formula that determines a token's price based on its supply. 

Pump.fun charges users around 0.02 SOL to create a new token, which costs $3.16 at current prices. SOL traded hands at $158.056 as of 12:55 p.m. ET (16:55 UTC) on May 16, having increased 3.45% in the past 24 hours, according to The Block Prices. 

Pump amassed an all-time high daily revenue of $1.23 million on May 14, with the platform most recently amassing over $669,000 on May 15, The Block's Data Dashboard shows.

Update (May 16 2:06 p.m. ET): Added estimates of funds lost from the exploit, commentary from Wintermute's Head of Research. 

Update (May 16 3:52 p.m. ET): Exploit loss figures, statement from Pump.fun.


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

MK Manoylov has been a reporter for The Block since 2020 — joining just before bitcoin surpassed $20,000 for the first time. Since then, MK has written nearly 1,000 articles for the publication, covering any and all crypto news but with a penchant toward NFT, metaverse, web3 gaming, funding, crime, hack and crypto ecosystem stories. MK holds a graduate degree from New York University's Science, Health and Environmental Reporting Program (SHERP) and has also covered health topics for WebMD and Insider. You can follow MK on X @MManoylov and on LinkedIn.

Editor

To contact the editor of this story:
Lawrence Lewitinn at
[email protected]

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News
Connect with the block on