On May 16 at 15:21, Solana’s memecoin creation platform Pump.fun Ecosystem was exploited. The incident resulted in the loss of approximately 12,300 SOL, worth nearly $2 million at current market prices.
The latest exploit sent shockwaves through the cryptocurrency community, with the attacker using Margin.fi’s flash loan to manipulate the platform, obtaining SOL and purchasing Pump.fun tokens without using their own funds.
Finding the attacker from the inside: Pump.fun security breach
The attacker, initially identified by the wallet address 7ihN8QaTfNoDTRTQGULCzbUT3PHwPDTu5Brcu4iT2paP, exploited Pump.fun by purchasing all the tokens of new projects launched on the platform within a few minutes. This action pushed the bonding curve to its limit.
In the decentralized finance (DeFi) space, a bonding curve is a smart contract that can create a token market without relying on a cryptocurrency exchange. So, as expected, this manipulation prevented the token from being listed on Solana’s decentralized exchange, Raydium DEX.
In response to the attack, pump.fun upgraded its contracts to prevent further deterioration. In addition, the team paused trading and assured users that the protocol’s total locked value (TVL) was safe.
“We are committed to ensuring the safety of our users and are working with relevant parties, including law enforcement, to minimize damage,” the team said.
Interestingly, the attacker was a former Pump.fun employee named Jarrett, who goes by the pseudonym STACCOverflow. Jarrett expressed his displeasure with the company on social media and said he intended to sabotage the platform.
“The kind of horrible boss who witnesses you break your hand and asks you what happened, and you say you tripped over a glass table, and they say ‘is that table okay?’ is not someone who is helpful to blockchain,” Jarrett wrote after the attack.
He clarified that he had a plan to "change the course of history," and said he was not worried about going to jail.
In another post, Jarrett also said that he would distribute his loot among various communities, including Slerf, Stacc, Saga, and Risklol, through airdrops. Due to his decision to conduct airdrops, some in the crypto community have called him the “Web3 Robinhood.”
About five hours after the initial announcement, pump.fun published a post-mortem. They redeployed the contract and resumed trading with 0% fees for the next seven days. They are also working on establishing liquidity pools (LPs) for the affected tokens to restore trading functionality.
“100% of the tokens that reached 15:21 and 17:00 are in limbo, meaning no one can trade them until LPs are deployed for them on Raydium. To make users whole, the pump.fun team will add LPs for each affected token over the next 24 hours with an amount of SOL liquidity equal to or greater than that token’s liquidity at 15:21 UTC.”
