Solana-based memecoin launchpad Pump.fun recently experienced a significant exploit, resulting in the loss of approximately $1.9 million. In a detailed post-mortem, the platform revealed that a former employee was responsible for the incident. This revelation has led to substantial efforts to compensate affected users and restore trust in the platform.
The Exploit Unveiled
Pump.fun disclosed that the exploit occurred when a former employee misused admin privileges to misappropriate around 12,300 SOL, valued at $1.9 million. The incident took place on a Thursday, with the ex-employee leveraging their access to the platform’s withdrawal authority.
How the Exploit Was Executed
At 15:21 UTC, the former employee used flash loans on a Solana lending protocol to borrow SOL and buy out memecoins until they reached 100% on their bonding curves. This maneuver allowed the exploiter to gain liquidity to repay the flash loans. The exploit impacted about $1.9 million out of the $45 million in liquidity within the bonding curve contracts.
By 17:00 UTC, Pump.fun halted all trading activities. Despite the significant loss, only a small fraction of the platform’s total liquidity was affected. The platform paused trading and upgraded its contracts to prevent further damage, reassuring users that their funds remained safe.
Compensation and Future Plans
To compensate affected users, Pump.fun announced plans to replenish the liquidity pools (LPs) for each affected coin with an amount of SOL equal to or greater than what was lost. This compensation would occur within 24 hours of the incident. Additionally, the platform set trading fees to 0% for the next seven days to alleviate user concerns.
The Exploiter’s Identity and Demands
An X user named “Stacc” claimed responsibility for the exploit, citing personal grievances and dissatisfaction with Pump.fun’s management as motivation. Stacc demanded $100,000 payouts for each non-founder contributor to the project, threatening to burn the stolen funds if these demands were not met. Stacc’s demands highlighted the internal discord within the company and the exploiter’s willingness to take drastic measures.
Community Reaction and Impact
The exploit and subsequent revelations have drawn significant attention from the crypto community. Former employees and associates of Pump.fun have weighed in, with some supporting Stacc’s claims of poor management. The incident has raised concerns about the security and integrity of the memecoin ecosystem on Solana, given Pump.fun’s prominent role in this market.
Pump.fun’s Commitment to Security
Pump.fun, which allows users to create new tokens for a minimal fee, has emphasized its commitment to security. The platform prohibits presales and team allocations for new coins, ensuring the safety of created tokens. An additional feature locks a portion of a token’s liquidity pool into Raydium, removing it from circulation upon reaching a specific market capitalization.
Despite the recent exploit, Pump.fun continues to see significant user activity, with daily revenues exceeding $1.2 million. The platform’s response to the incident and its ongoing security measures aim to restore user confidence and maintain its position in the market.
The Pump.fun exploit serves as a stark reminder of the vulnerabilities within blockchain platforms and the potential for insider threats. While the platform has taken steps to address the immediate fallout and compensate affected users, the incident underscores the need for robust security measures and transparent management practices. As the crypto community watches closely, the future actions of Pump.fun will be critical in determining its long-term reputation and success.
