Pump.fun’s record week marred by $2m exploit

Pump.fun, a Solana-based platform for memecoin launches, suffered an attack on Thursday, with an estimated $2 million in losses.

The attack comes just two days after the platform hit an all-time high in daily revenue generated of over $1.2 million on Tuesday.

The platform, which lets developers easily launch tokens in just a few steps, saw its contracts compromised and paused trading to prevent further damage.

“We are aware that the bonding curve contracts have been compromised and are investigating the matter,” Pump.fun said on X.

“We’ve paused trading — you cannot buy and sell any coins at the moment. Any coins currently migrating to Raydium cannot be traded and will not migrate for an indefinite period of time.”

Once tokens hit a market cap of $69,000, they can be listed on Raydium, a decentralised exchange on Solana.

A bonding curve refers to how a token’s price increase when its supply decreases and vice versa.

Igor Igamberdiev, head of research at Wintermute who analysed the attack, suggested that the private key was compromised.

The attacker used flash loans to trick the platform’s bonding curve into accepting phantom SOL tokens, making the tokens appear valuable despite no traders buying organically.

An account on X, known as Stacc, appeared to take credit for the attack, posting, “I’m about to change the course of history” and went on to post “Do not care, I am already fully doxxed.”

Stacc hinted that the stolen funds would’nt be kept but rather transferred to some token users, although his initial estimates of $80 million seem to now be closer to $2 million as mentioned by Igamberdiev.

DL News couldn’t independently confirm Stacc’s claims, and the Pump.fun team hasn’t made a public statement on the attacker’s identity.

The motive behind the attack remains unclear, and it’s not evident how Stacc executed the exploit or if they distributed the balances to random people, although some have claimed to receive SOL from the exploiter.

Pump.fun advertises itself as a “fair launch” platform.

It allows users to mint new tokens for a few dollars, with its revenue coming from fees it charges when users buy and sell these tokens.

The attack caused significant losses, but didn’t result in a substantial profit for the attacker. Despite the chaos, assets still in the protocol are currently safe, according to Pump.fun’s team.

Ryan Celaj is a data correspondent at DL News. Got a tip? Email him at ryan@dlnews.com.