Pump.fun, a Memecoin launcher attributes $1.9M theft to an ex-worker, said its smart contracts are safe and users impacted will receive 100% of the liquidity.
The pump.fun memecoin creation tool for Solana asserts that a former employee utilized a “bonding curve” attack to steal nearly $2 million from the company.
As alleged by pump.fun in a May 16 X post, the former employee exploited their “privileged position” to gain access to a “withdraw authority” and compromise the internal systems of the protocol.
Approximately $1.9 million of the $45 million is held in the pump.fun’s bonding curve contracts were taken.
Although trading was momentarily halted, the platform is now operational again.
pump.fun stated that the smart contracts “are secure” and that users affected by the incident will receive “100% of the liquidity” they had before the incident within the next twenty-four hours.
Before pump.fun published its article, Igor Igamberdiev, the director of research at Wintermute, a cryptocurrency market maker, asserted that the breach originated from an internal leak of private keys, which he suspected was exploited by X user “STACCoverflow.”
STACCoverflow asserted in a series of enigmatic X posts that they were “on the verge of altering the course of history, after which they would rot in prison.” They further stated in an individual post, “I am already completely doxxed; I do not care.”
pump.fun stated in a previous X post that it has been in cooperation with law enforcement. It did not respond promptly to a request for comment and refrained from naming the former employee.
The sequence in which the attack transpired
The putative exploiter borrowed Solana using flash loans on the Solana lending protocol Raydium.
Pump.fun stated that the $163 that SOL tickers lost was used to “buy as many coins” as feasible.
Once the currencies reach 100% on their respective bonding curves, the exploiter can repay the flash loans using the bonding curve liquidity.
The theft of around 12,300 SOL, equivalent to $1.9 million, occurred during the assault on the pump. On May 16, a joyful statement was made between 3:21 pm and 5:00 pm UTC.
According to the Solana memecoin launchpad, users affected during this period would regain at least 100 percent of the liquidity they had before the attack.