All You Need to Know About The Pump.Fun Exploit

Pump[dot]Fun, a Solana-based platform designed to streamline token launches, suffered a significant exploit on May 16, resulting in the loss of at least 12,300 SOL, worth approximately $2 million. 

The exploit began with the alleged attacker using flash loans from Raydium, a prominent Solana lending protocol. 

Flash loans are a powerful DeFi tool, enabling users to execute transactions that would otherwise be impossible due to the need for large amounts of capital. However, they also pose significant risks, as demonstrated by this exploit. 

Bonding curves, another key component of Pump[dot]Fun, determine the price of a token based on its supply. When a token fills its bonding curve, the liquidity is supposed to be burned to Raydium, allowing the token to start trading on the open market.

In this exploit, the hacker used MarginFi’s flash loan services to manipulate the bonding curves. By reaching 100% on these curves, they could access and withdraw the liquidity, meant for Raydium, and repay the flash loan, securing substantial profits.

Security Response and Measures

The Pump[dot]Fun team upgraded their contracts to prevent further damage in response to the attack. They assured users that all connected wallets and tokens burned to Raydium are secure. 

The team’s investigation suggested that a compromised private key facilitated the exploit, as Pump[dot]Fun’s service account cosigned all exploiter transactions. 

Allegations and Investigations

Pump[dot]Fun has collaborated with law enforcement to investigate the breach. 

However, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested that an internal private key leak caused the hack. He implicated X user “STACCoverflow,” who later identified himself as Jarett Reginald S Dunn. 

Dunn claimed credit for the exploit in a series of unusual tweets, asserting that the stolen funds would be distributed to holders of various Solana tokens.

Various users on X have reported receiving token distributions from the hacker, though the criteria for these distributions remain unclear. 

Pump[dot]Fun enables non-technical users to launch memecoins quickly and cost-effectively. The platform has facilitated the launch of hundreds of tokens on Blast and Solana, generating over $10 million in revenue last month alone, according to DeFiLlama.