Pump.fun identifies $1.9 million exploiter as former employee in post mortem

Quick Take

  • Pump.fun identified the profiteers behind the $1.9 million exploit as a former employee.
  • The platform laid out plans to compensate users that suffered from the exploit in a post-mortem posted on X.

Solana-based memecoin launchpad Pump.fun said a former employee was behind the exploit that took place Thursday. 

The incident involved a former employee gaining pump.fun's admin privileges, resulting in the misappropriation of approximately 12,300 SOL, valued around $1.9 million at the time.

“At 15:21 UTC, a former employee, having illegitimately taken access of the withdraw authority using their privileged position at the company, used flash loans on a Solana lending protocol,” the platform said in a post-mortem posted on X. 

The loans were used to borrow SOL to buy out as many memecoins until they hit 100% on their bonding curves, which allowed the exploiter to gain liquidity to repay the flash loans, Pump.fun detailed. This affected roughly $1.9 million out of a total of $45 million in liquidity within the bonding curve contracts during a specific timeframe.

“By 17:00 UTC, all trading on pump.fun was halted. Out of a total of $45m of liquidity in the bonding curve contracts, only ~$1.9m was affected,” the platform said.

Pump.fun had paused trading and upgraded the contracts on the platform to stop further damage. The platform is back live, and its contracts remain safe, it added.

“To make users whole, the pump.fun team will seed the LPs for each affected coin with an equal or greater amount of SOL liquidity that the coin had at 15:21 UTC within the next 24 hours,” the platform said, adding that its trading fees are set to 0% for the next seven days. 

Meanwhile, X user that goes by the name “Stacc” acknowledged that they had executed the exploit. In their thread of tweets, Stacc expressed disdain for their “horrible bosses” that appear to describe Pump.fun, who they said are “not the type of ppl you want front n center as the face of blockchain.”

Another X user @valerio_eth, who claimed to be the first engineer that Pump.fun had hired, stated that they had worked in-person with Stacc.

Stacc has also created their own Solana-based memecoin inspired by the exploit, named Flash Stacc attack (FSA). The meme token, created late night Thursday, currently has a market capitalization of around $211,000, according to DEX Screener.

What is Pump.fun?

Solana-based Pump.fun helps users create new tokens for a minimal fee of around a few dollars. The platform emphasizes its security measures, writing on its website that it "prevents rugs by making sure that all created tokens are safe" by prohibiting presales and team allocations for new coins.

Users can mint new tokens and determine their purchase price through a bonding curve mechanism, which sets the price based on current supply. Trading functionality allows users to buy and sell their holdings.

An additional feature automatically locks a portion of a token's liquidity pool, about $12,000, into Raydium and permanently removes it from circulation if the token reaches a specific market capitalization of around $69,000.

Pump.fun appears to be experiencing significant user activity, with the daily revenue exceeding $1.2 million on Tuesday, according to The Block’s data dashboard.


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Danny Park is an East Asia reporter at The Block writing on topics including Web3 developments and crypto regulations in the region. He was formerly a reporter at Forkast.News, where he actively covered the downfall of Terra-Luna and FTX. Based in Seoul, Danny has previously produced written and video content for media companies in Korea, Hong Kong and China. He holds a Bachelor of Journalism and Business Marketing from the University of Hong Kong.

Editor

To contact the editor of this story:
Vishal Chawla at
[email protected]

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News
Connect with the block on