- Pump.fun, a Solana memecoin creation tool, reports a $1.9 million theft by a former employee via a bonding curve attack.
- The platform briefly halted trading but has since resumed, assuring that user funds are secure and will be fully restored.
- The theft was executed using a flash loan attack, exploiting internal systems and privileged access.
Pump.fun, a tool for creating memecoins on the Solana blockchain, has reported a significant security breach involving nearly $2 million, allegedly perpetrated by a former employee. The incident, which involved a sophisticated attack known as a “bonding curve” attack, was disclosed in a detailed post on the platform’s X account on May 16.
Insider Attack Details
The breach was executed by the ex-employee who leveraged their privileged access to withdraw authority, compromising the protocol’s internal systems. Pump.fun reported that approximately $1.9 million was stolen from its bonding curve contracts, which collectively held about $45 million.
Response and Measures
Following the discovery of the unauthorized transactions, Pump.fun temporarily suspended trading to assess and mitigate the impact. The platform has since resumed operations, affirming that their smart contracts are secure and declaring that affected users will be reimbursed fully within 24 hours.
Method of the Exploit
The alleged exploiter utilized flash loans—a type of uncollateralized loan used in decentralized finance—from the Solana lending protocol Raydium. These loans enabled the attacker to buy large quantities of tokens quickly, which they then used to manipulate the platform’s bonding curves and withdraw liquidity. The attack resulted in the theft of about 12,300 SOL, valued at $1.9 million, between 3:21 pm and 5:00 pm UTC on May 16.
Ongoing Investigation
Pump.fun has not disclosed the identity of the former employee suspected of the attack but confirmed cooperation with law enforcement to address the incident. The platform’s swift response to secure user funds and their transparency in communicating with their community has been a focal point in their handling of the situation.
Broader Implications
This event highlights potential vulnerabilities within blockchain and DeFi platforms, especially regarding insider threats and the need for robust security measures to protect user assets. Pump.fun’s incident will likely prompt other platforms to reevaluate their security protocols to prevent similar exploits.
As the investigation continues, Pump.fun has reiterated its commitment to user security and trust, emphasizing that measures are in place to prevent future such incidents. The crypto community and regulators will be watching closely as Pump.fun navigates its recovery from this significant security breach.
