Ex-Employee's $1.9M "Bonding Curve" Attack on Solana Memecoin Tool, Pump.fun
Summary:
A "bonding curve" attack by a former employee has cost pump.fun, a Solana memecoin creation tool, nearly $1.9 million. The exploit, which involved flash loans and manipulation of the company's internal systems, led to the temporary suspension of trading. However, pump.fun assured that smart contracts remain secure and impacted users will be fully compensated. The stolen sum was part of the total $45 million held in pump.fun's bonding curve agreements. The company is now cooperating with law enforcement in investigations related to the attack.
Pump.fun, a tool for creating memecoins on Solana, has revealed that it fell victim to a "bonding curve" assault led by a former employee, who took advantage of his privileged position to access the withdrawal authority and manipulate the protocol's systems. This happened in an incident reported on May 16th, where approximately $1.9 million was siphoned from the total $45 million contained in pump.fun's bonding curve agreements. As a recovery measure, trading was suspended for a period but was eventually resumed. Assuring its users, pump.fun stated that their smart contracts remain secure and any losses incurred will be fully compensated within the next day. Wintermute's research chief, Igor Igamberdiev, chimed in before pump.fun's disclosure, attributing the breach to an internal private key leak, possibly linked to the user "STACCoverflow." The supposed perpetrator signaled his actions via encoded messages while showing an utter disregard for the consequences. Pump.fun has reported its involvement with law enforcement but withheld the identity of the ex-employee and has yet to respond to comment requests. The details of the breach include the offender utilizing a Solana lending protocol, Raydium, to carry out flash loans and acquire as many coins as possible. Upon achieving a 100% hit on the relevant bonding curves, the offender was able to gain access to the liquidity therein and repay the flash loans. It is estimated that around 12,300 SOL, which is equivalent to $1.9 million, went missing in the attack, which took place between 3:21 pm and 5:00 pm UTC on May 16. Pump.fun assured users affected during these times that they would be reimbursed fully, or perhaps more, of the liquidity they had prior to the breach. As a cautionary note, it was reported that one out of every six Base meme coins are fraudulent, with a whopping 91% exhibiting vulnerabilities.
Published At
5/17/2024 3:17:00 AM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.