Flash Loan Attack Drains $2M from Solana-Based Pump Fun

As a researcher with extensive experience in the cryptocurrency and blockchain industry, I’m deeply concerned about the recent exploitation of Pump.Fun, a popular Solana-based platform for launching tokens. The attacker managed to acquire large sums of SOL through flash loans and used it to buy out bonding curves for Pump.fun memecoins, resulting in significant financial losses for the platform and its users, including my firm, Wintermute, which lost nearly $2 million.


A Solana-based token launching platform called Pump.Fun has suffered an exploit, leading to approximately $2 million in damages.

An attacker exploited the platform’s bonding curve contracts by employing flash loans, thereby disrupting the intended process of launching tokens.

Exploitation of Pump.fun Bonding Curve

The adversary manipulated Pump.Fun’s bonding curve contracts using flash loans, a technique that enables borrowers to secure substantial amounts of money without providing collateral, on the proviso they repay the loan in a single transaction. By employing these flash loans, the attacker amassed sufficient SOL to purchase the bonding curves for Pump.fun memecoins, resulting in significant financial repercussions for the platform.

— Igor Igamberdiev (@FrankResearcher) May 16, 2024

Igor Igamberdiev, the research lead at Wintermute, shares that they experienced a loss of approximately 12,300 Solana (SOL) coins, equivalent to around $2 million in value.

As a crypto investor, I’ve come to realize that Pump.fun admitted to a security vulnerability in one of their social media platforms, specifically X (previously known as Twitter). They made this acknowledgement publicly through a post on their social media channels.

“The contraction of the bonding curves for Pump.fun’s contracts has been breached, and we are currently looking into this issue.”

As a member of the research team, I want to assure you that we have taken necessary steps to protect your assets following recent security concerns. Specifically, we have revised our contract terms to prevent any future exploitations. Rest assured that your Total Value Locked (TVL) and connected wallets continue to remain secure.

Security Measures and Trading Suspension

Following the assault on our platform, Pump.fun has temporarily halted all transactions. According to the team’s announcement.

“Trading has been halted on our platform – no new buys or sells are permitted. Coins in the midst of transfer to Raydium will not be available for trading and this restriction may persist indefinitely.”

They stressed that encrypted liquidity on Raydium is safe and unaffected by this exploit.

As a crypto investor, I’m keeping a close eye on the ongoing investigation into the recent breach at Pump.fun. The team is collaborating with law enforcement and other relevant parties to uncover the truth behind this incident. While it’s still up for debate, some speculate that a private key compromise could be the culprit. However, this theory is only conjecture at this point.

Attacker Identified as ‘Stacc’

Social media user ‘Stacc’ has confessed to taking part in the exploit, describing it instead as a form of protest in a sequence of posts. He suggested that his actions were driven by emotional turmoil following the loss of his mother.

He expressed his firm resolve to make a significant impact in the memecoin sector on Solana by writing, “I will be the one shaping history in this realm.”

Stacc harbored various motives. He didn’t give any signs of intending to profit from the misappropriated funds. Instead, he suggested transferring the remaining bonding curve balances to other token users. This action added complexity to the situation due to the doubt surrounding the location and method of discovering and retrieving those assets.

Overview of Pump.fun’s Operations

As a crypto investor using Pump.Fun, I can create and introduce new tokens onto the dynamic Solana blockchain without worrying about the risk of rug pulls. This innovative platform ensures the security of every token generated, eliminating any presale or team allocations that might potentially threaten the integrity of my investment.

Users have the ability to create new tokens by paying a modest fee, and these tokens can then be traded on the bonding curve, which sets the token’s price according to its current supply level.

The platform has gained significant popularity, recording its all-time highest daily earnings of $1,230,000 on May 14. Two days prior to this event, Pump.Fun users were required to pay nearly 0.02 SOL, equivalent to roughly $3.16 at current rates, for minting a new token.

As a crypto investor, I would describe this process as follows: When tokens reach a market capitalization of $69,000, I deposit $12,000 worth of these tokens onto Raydium, which is a popular decentralized exchange built on the Solana blockchain. Afterward, these tokens are permanently removed from circulation by being burned.

GameStop (GME) Down 30%, What Happened To The Meme Stock Frenzy?

Read More

2024-05-17 00:50