SOL

All You Need to Know About The Pump.Fun Exploit

by BSCN

May 17, 2024

The attacker used flash loans from Raydium to manipulate Pump[dot]Fun's bonding curves and withdraw liquidity.

Pump[dot]Fun, a Solana-based platform designed to streamline token launches, suffered a significant exploit on May 16, resulting in the loss of at least 12,300 SOL, worth approximately $2 million.

We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.

We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.

We’ve paused trading — you…
— pump.fun (@pumpdotfun) May 16, 2024

The exploit began with the alleged attacker using flash loans from Raydium, a prominent Solana lending protocol.

Flash loans are a powerful DeFi tool, enabling users to execute transactions that would otherwise be impossible due to the need for large amounts of capital. However, they also pose significant risks, as demonstrated by this exploit.

Bonding curves, another key component of Pump[dot]Fun, determine the price of a token based on its supply. When a token fills its bonding curve, the liquidity is supposed to be burned to Raydium, allowing the token to start trading on the open market.

In this exploit, the hacker used MarginFi’s flash loan services to manipulate the bonding curves. By reaching 100% on these curves, they could access and withdraw the liquidity, meant for Raydium, and repay the flash loan, securing substantial profits.

Security Response and Measures

The Pump[dot]Fun team upgraded their contracts to prevent further damage in response to the attack. They assured users that all connected wallets and tokens burned to Raydium are secure.

The team’s investigation suggested that a compromised private key facilitated the exploit, as Pump[dot]Fun’s service account cosigned all exploiter transactions.

Allegations and Investigations

Pump[dot]Fun has collaborated with law enforcement to investigate the breach.

However, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested that an internal private key leak caused the hack. He implicated X user “STACCoverflow,” who later identified himself as Jarett Reginald S Dunn.

Dunn claimed credit for the exploit in a series of unusual tweets, asserting that the stolen funds would be distributed to holders of various Solana tokens.

And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— 🔥🪂staccoverflow ; j'arrête ; (@STACCoverflow) May 16, 2024

Various users on X have reported receiving token distributions from the hacker, though the criteria for these distributions remain unclear.

Pump[dot]Fun enables non-technical users to launch memecoins quickly and cost-effectively. The platform has facilitated the launch of hundreds of tokens on Blast and Solana, generating over $10 million in revenue last month alone, according to DeFiLlama.

Disclaimer

Disclaimer: The views expressed in this article do not necessarily represent the views of BSCNews. The information provided in this article is for educational and informational purposes only and should not be construed as investment advice. BSCNews assumes no responsibility for any investment decisions made based on the information provided in this article