Pump.fun, a Solana-based platform that streamlines the creation and trading of meme coins, has been hit by a significant exploit targeting its core bonding curve contracts.
The attack, which occurred on Thursday, May 16th, 2024, has resulted in losses of around $2 million (12,000 SOL) for the project.
TLDR
- Pump.fun, a popular Solana-based token launch platform, was exploited through a flash loan attack targeting its bonding curve contracts.
- The attacker seemingly used flash loans to buy out the bonding curves of various meme coins on the platform, resulting in losses of around $2 million (12,000 SOL).
- The Pump.fun team has paused trading on the platform and is investigating the matter, while also upgrading contracts to prevent further fund drains.
- A user named “Stacc” has claimed responsibility for the attack, implying it was not financially motivated but rather an act of aggression and sadness.
- The attack has caused significant disruption to the Solana meme coin ecosystem, with Pump.fun being a major player in the space.
According to the Pump.fun team, the attacker seemingly used a combination of flash loans to buy out the bonding curves of various meme coins on the platform.
Flash loans are a decentralized finance (DeFi) mechanism that allows users to borrow and repay funds within a single transaction, enabling complex trading strategies.
In this case, the exploiter appears to have tricked Pump.fun’s bonding curve contracts into accepting phantom SOL tokens they had borrowed and quickly repaid.
This resulted in the bonding curves filling up with nonexistent SOL, making the associated tokens appear valuable despite a lack of real buy-side interest.
Pump.fun acknowledged the attack in a post on the social media platform X, stating, “We are aware that the bonding curve contracts have been compromised and are investigating the matter.”
We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.
We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.
We’ve paused trading — you…
— pump.fun (@pumpdotfun) May 16, 2024
The team has since paused trading on the platform, preventing users from buying or selling any coins for the time being. Additionally, any coins currently in the process of migrating to the Raydium decentralized exchange (DEX) will not be able to do so for an indefinite period.
Igor Igamberdiev, the head of research at Wintermute, a leading crypto market maker, analyzed the situation and estimated the total loss to be “at least” 12,000 SOL, or approximately $2 million at the time of the attack.
Interestingly, a user named “Stacc” seems to have taken credit for the exploit on social media, implying that the attack was not financially motivated but rather an act of aggression and sadness.
In one post, Stacc wrote, “I’m about to change the course of history,” and later alluded to poor mental health and a desire to see their deceased mother again.
While Stacc suggested that they do not plan to profit from the attack and may distribute the remaining balances of the bonding curves to token holders, the situation remains fluid, and the full implications of the exploit are yet to be determined.
The attack has caused significant disruption in the Solana meme coin ecosystem, with Pump.fun being one of the major platforms facilitating the creation and trading of these tokens.
The platform’s unique model allows users to mint new tokens for only a few dollars and then buy and sell them on a bonding curve. Tokens that reach a market capitalization of $69,000 can then be listed on the Raydium DEX.
The Pump.fun team has stated that they have upgraded their contracts to prevent the attacker from siphoning any more funds and that the total value locked in the protocol, as well as user wallets connected to the platform, are currently safe. The project is also cooperating with law enforcement and “relevant parties” regarding the matter.
As the investigation into the attack continues, the Solana community and cryptocurrency enthusiasts worldwide will be closely monitoring the developments and potential implications for the broader DeFi ecosystem.