Original | Odaily Planet Daily

Author | How to be a husband

In the early morning of May 17, community members posted on social media that Solana's Meme launch platform pump.fun was suspected of having $80 million worth of SOL tokens and a large number of Meme coins stolen. Subsequently, the attacker "STACCoverflow" self-destructed on the X platform and airdropped dozens to hundreds of SOL tokens to Meme token holders on Solana, and even threatened that these airdrops would cause Solana to fork.

According to several tweets from the attacker "STACCoverflow", the attacker's mental state was suspected to be affected by the death of his family, and he made a retaliatory attack. However, some community members responded that the attacker was suspected to be an internal employee of pump.fun, who used the leaked private key to attack pump.fun.

Was it an internal employee who committed the theft, or was it an "injured" hacker who conducted a universal airdrop? Odaily Planet Daily reviewed the pump.fun theft incident as a whole and analyzed the impact of this incident on pump.fun and even Solana.

pump.fun was attacked, and the wallet was the first to react

On the evening of May 17, some Solana users found that there were dozens to hundreds of SOL tokens in their wallets. Later, community members discovered that suspected hackers were attacking pump.fun, and the hackers also posted on the X platform. From the content, it can be seen that the attacker was very emotional and the content of the tweet was relatively chaotic.

After learning that the attacker was going to airdrop the stolen funds, some community members also replied to his tweet with the wallet address and said some encouraging words. Especially after learning that the attacker was suspected to have gone crazy because of his mother's death, they collectively mourned the attacker's mother and attached the address.

Many users who have received SOL tokens airdropped by the attacker have posted to express their gratitude and praised the attacker's behavior. In addition, some people have launched the meme coin BunkerFuts. According to Birdeye data, the highest increase in the value of BunkerFuts tokens was nearly 19 times.

Lgor Lamberdiev, head of research at Wintermute, wrote that pump.fun was attacked due to suspected private key leakage. Since the service account address 5PXxuZ signed txs in a certain way, transferring funds to the attacker and random addresses instead of deploying the Raydium pool, this move proves that it is very likely that pump.fun was attacked due to the leakage of private keys.

How did the attacker steal the funds from pump.fun? The attacker used the marginfi lending platform to launch a flash loan attack on pump.fun, filling up all the pools that had been created on pump.fun but not filled to the point where they could be listed on Raydium. At this time, the SOL tokens in the pool were transferred to the address with the leaked private key because they met the criteria for listing on Raydium, and the attacker promptly withdrew the transferred SOL tokens.

Is it true that attackers stole $80 million worth of tokens?

As the victim of this attack, pump.fun finally spoke out and revealed that the attacker was a former employee of the company. He used his privileges in the company to illegally obtain withdrawal permissions and carried out a flash loan attack with the help of the lending protocol, stealing approximately 12,300 SOL (worth approximately 1.9 million US dollars).

Subsequently, pump.fun officially announced that the contract has been upgraded, the attacker can no longer steal any funds, and trading has been suspended. Currently, no tokens can be bought or sold. Any tokens currently being migrated to Raydium cannot be traded and will not be migrated for some time in the future. Any tokens that have been successfully transferred from the pump.fun contract and locked liquidity on Raydium are safe. If the user has ever connected a wallet to pump.fun, the user's wallet is safe.

It is worth mentioning that when the attack occurred, the fastest response was not from the pump.fun official website, but from wallets and other related projects. Phantom Wallet and Bonkbot immediately suspended their association with pump.fun.

pump.fun’s trust has dropped to a freezing point and may gradually disappear in the future

Looking back at the entire pump.fun theft incident, there are several particularly interesting phenomena.

First of all, the onlookers praised and admired the hacker's "random money throwing". Many people's first reaction after seeing the news was to check whether there was SOL transferred into their wallets, which gave them the feeling of "opening a blind box". Of course, this may also be related to the fact that everyone is not an interactive user of pump.fun, after all, it is none of their business.

Another question worth pondering is why former employees of pump.fun still have privileges in the company after leaving, which eventually led to the attack. One possible reason is that pump.fun has a "backdoor" that can be exploited due to its own opaque mechanism. With this attack, users' trust in pump.fun has dropped to the freezing point. If no effective solution is taken in the future, pump.fun may gradually fade out of the public's view and gradually die out.

Finally, regarding the impact on Solana, the author believes that as long as it does not involve defects in the public chain’s own mechanism, and the risks are only caused by the project’s own problems, it will have almost no impact on the development of Solana.