Brief Overview:
• Pump.fun, an emoji coin platform on Solana, suffered an internal attack, resulting in losses of $2 million.
• The attacker interfered with the token listing process by manipulating the Bonding Curve.
• The platform has upgraded its contracts, suspended trading, and ensured that user funds were not harmed.
On May 16 at 15:21 UTC, pump.fun, a meme coin platform within the Solana ecosystem, was attacked, resulting in a loss of approximately 12,300 SOL, equivalent to nearly $2 million.
The attacker used Margin.fi’s flash loan method to obtain SOL without using his own funds and purchase pump.fun tokens. This move attracted widespread attention in the crypto community.
Pump.fun security breach incident overview
The attacker exploited the pump.fun platform by purchasing all the tokens of newly launched projects on the platform in a short period of time, causing the bonding curve to reach its limit.
In the DeFi field, the bonding curve is a smart contract that can create a market for tokens without relying on crypto exchanges. In this incident, the attacker's actions caused the relevant tokens to be unable to be listed on Solana's Raydium DEX decentralized exchange.
Pump.fun attackers used flash loans to attack | Source: Solscan
In response, pump.fun quickly upgraded its contracts to prevent further attacks and suspended trading activity while confirming to users that the platform’s total locked value (TVL) was safe.
“We are committed to ensuring the safety of our users’ assets and are working with relevant authorities, including law enforcement agencies, to minimize losses,” the team stated.
It is worth noting that the attacker was Jarrett, a former employee of Pump.fun, who is known by the pseudonym STACCOverflow. Jarrett expressed his dissatisfaction with the company on social media and expressed his intention to destroy the platform.
“A horrible boss who sees your hand get injured but is more concerned about whether the glass table is intact is not the kind of person you want to be around to represent and lead the blockchain,” Jarrett said after the attack.
The attacker, Jarrett, aka STACCOverflow, openly expressed his motivations and plans, claiming that his actions were intended to "change the course of history." He not only revealed his dissatisfaction with the Pump.fun platform, but also demonstrated that his actions were intentional and that he was fearless about the legal consequences he might face for this attack, including imprisonment.
His attitude may stem from his dissatisfaction with certain practices in the current blockchain industry, and his hope to draw attention and reflection on these issues within and outside the industry through this action.
In another post, Jarrett announced his plans to distribute the assets he gained from the attack to different communities, including Slerf, Stacc, Saga, and Risklol, through airdrops. Jarrett's decision has earned him the title of "Web3 Robin Hood" in the crypto community, a title that implies that he is seen as engaging in an act of fighting against vested interests and redistributing wealth to the wider community.
Although Jarrett’s behavior may seem a bit “gangster-like” to some, his behavior is still a serious challenge to the security and trust of decentralized platforms, and it also triggered a discussion on the ethical and legal boundaries of the crypto community.
The platform’s response strategy after being attacked
As a response strategy, about five hours after the Pump.fun platform was attacked and the initial announcement was released, the team released a detailed post-mortem report. As a response measure, they redeployed the contract and announced that transaction fees would be waived for the next seven days to encourage users to return and continue to use the platform. In addition, the Pump.fun team promised to establish a liquidity pool (LP) for the affected tokens, which is to provide the necessary liquidity and restore the trading function of these tokens.
This move is intended to mitigate the impact of the attack on users and rebuild the community's trust in the platform. Through these measures, Pump.fun demonstrates its commitment to user asset security and platform stability, while also demonstrating their investment in the long-term sustainability of the platform.
The Pump.fun team pointed out in the announcement that tokens with 100% trading volume between 15:21 and 17:00 UTC are currently in an uncertain state, that is, these tokens cannot be traded until liquidity pools (LP) are deployed for these tokens on Raydium. In order to compensate users and ensure the integrity of their assets, the Pump.fun team plans to inject SOL equivalent to or exceeding the liquidity of the token at 15:21 UTC for each affected token in the next 24 hours.
In this way, Pump.fun aims to restore the trading function of the affected tokens and enhance users' confidence in the platform. The team emphasized in the announcement that after this incident, the sh*tcoins on Solana will return strongly and stronger than ever. This shows that the Pump.fun team is optimistic about the recovery and future development of the platform and is committed to providing better services to users.
Although Pump.fun claims to have resumed normal operations, users in the cryptocurrency community should remain vigilant. After this incident, some criminals tried to take advantage of the opportunity to defraud. They pretended to be members of the Pump.fun team and spread malicious links claiming to be used to compensate users. These links may be intended to trick users into revealing their private keys, wallet addresses or other sensitive information, which may lead to the theft of funds.
Therefore, users should carefully verify the authenticity of any link claiming to offer compensation or requesting personal information before interacting with it, and only communicate with the Pump.fun team through official channels. Community members should warn each other to avoid potential scams and ensure the safety of personal assets.
Conclusion:
The internal attack on the Pump.fun platform highlights the security risks and ethical challenges in the decentralized finance (DeFi) field. Although the platform took quick action to mitigate losses and restore user confidence, the incident also reminded members of the crypto community that they must remain vigilant and alert to potential fraud while pursuing innovation and returns.
At the same time, this also highlights the need for stronger regulation, improved transparency and security to protect the interests of investors and maintain the healthy development of the entire ecosystem. For Pump.fun, this is an opportunity to rebuild trust and strengthen the platform's security mechanism, and for the wider DeFi industry, it is a time to reflect and enhance its ability to resist risks. #闪电攻击 #资产安全
