Meme tokens have been a key segment of blockchain ecosystems. At the beginning of the year, the Solana ecosystem saw the emergence of a number of meme tokens with staggering gains, and the daily trading volume of these tokens was more than tens of billions of dollars. With the enthusiasm of users for Meme token trading on Solana, Pump.Fun, a meme token launchpad, was launched in February. The platform quickly produced a number of meme tokens with significant gains, attracting a large number of users to participate in issuing and trading various meme tokens. To date, the platform has generated more than $100 million in revenue.
While the market was shocked by Pump.Fun's wealth effect, Its competitors also actively joined the Meme Gold Rush. First came TRON Eco's SunPump, which made a million dollars in two weeks.
In July, BNB Chain provided financial support to Memehub. In August, BNB Chain launched the "Meme Coin Innovation Battle”, partnering with meme token launchpads such as Four.Meme and Burve to drive the development of meme ecosystem.
As a security partner of BNB Chain, Beosin has provided security audit services for PancakeSwap, Good Games Guild, Ankr and multi-chain meme token launchpads such as Tokr.fun and Pump404. Today, we will analyze and discuss the potential security risks of meme token launchpads.
Operation Mechanism of Meme Token Launchpad
Platforms such as Pump.fun and Four.Meme use a set of artificially standardized meme token templates and economic models to provide a fixed process for issuing, raising funds, and adding liquidity to all meme tokens on their platforms. The characteristics and operation mechanism of this process are as follows:
1. Token security is guaranteed by the platform:
Users only need to provide the name, icon, description and other information of their meme tokens, and then the platform creates the corresponding token contract, which uses the same set of basic code template, and has some security measures to ensure that the token cannot be maliciously issued, and there is no malicious or privileged function to avoid Rug Pull.
2. Bonding Curve:
After a token is created, it will not directly be added into a liquidity pool of a DEX for trading, but first requires users to pay a fee for minting (Mint), and the token price during the minting process is determined by a bonding curve.
Using Pump.Fun as an example, each new memecoin created by users has an initial virtual market cap to be set at 30 $SOL. The total number of tokens in circulation is 1 billion, of which 800 million are used for minting, and the relationship between the minting price and the market value is roughly as follows:
Where x is the current market value and y is the price of 10 million tokens. The adoption of a bonding curve balances supply and demand so that early participants typically get their tokens at a lower price by minting, and the price of each token rises significantly as the market cap grows, yielding lucrative returns for early investors.
3. The platform is responsible for injecting liquidity pools:
Token issuers raise funds by minting tokens from users. When the market value of tokens reaches a certain threshold, the platform will inject the raised funds together with the unsold tokens into a DEX, creating a liquidity pool to enhance the trading activity and stability of the token. This move reduces the risk of Rug Pulls and allows traders to participate in token trading with greater peace of mind.
Pump.Fun and Four.Meme platforms greatly reduce the difficulty for issuing meme tokens and solve the initial liquidity raising problem of tokens, enabling ordinary users to easily create their own meme tokens and obtain certain liquidity for trading.
Security Risks Behind These Launchpads
1. Operational Risks
On May 17, Pump.Fun suffered a $1.9 million theft due to operational issues. The incident involved a former employee who had permission for Pump.Fun to create a liquidity pool of meme tokens at Raydium. The employee used a Solana lending protocol to conduct a flash loan, borrowing large amounts of SOL and minting as many tokens as possible to bring them up to the standard on the bonding curve, then the tokens can have a liquidity pool. The attacker then transferred these tokens and SOL into a wallet account under his control, withdrew part of the SOL tokens to repay the flash loan and made a profit.
The project party shall update the staff rights in a timely manner and fully manage the relevant address private key. In addition, during the operation of the project, the project team should monitor the operation of the project in real time, and prepare countermeasures for security incidents in advance to reduce possible asset losses.
2. Contract Risks
In analyzing the operation mechanism of such meme launchpads, we can note that all the launched meme token contracts are created by the launchpads’ contracts, and the security of these tokens is determined by the platform. Therefore, the contract security of launchpads is of paramount importance. The following are the safety issues that a launchpad needs to pay attention to:
(1) Replay attack
When a meme launchpad implements createToken(), in order to allow third parties to create or mint tokens, it usually requires the token creator to verify the signature. The signature must contain information such as nonce, timestamp, and chainid to avoid replay attacks.
(2) Excessive authority
A meme launchpad can control tokens created by users and assets raised (such as SOL, BNB, ETH), and the privileged address of the platform has the permission to withdraw these assets. This means that the platform can access and withdraw the funds raised for operational or other purposes. Therefore, the permissions of these privileged addresses must be strictly managed to ensure the security and transparency of their operation, prevent potential abuse or asset theft, and ensure the overall security and stability of the platform.
Beosin suggests that projects should use multi-signature accounts plus time locks to control such contracts for added security.
(3) Secure interaction with third-party DEX
When meme token launchpads interact with decentralized exchanges, they usually involve operations such as token transfers or data queries. Therefore, the platforms need to ensure that the interface with the exchange is secure and reliable. This includes the use of encryption to protect information during data transmission and to verify the authenticity and legitimacy of transaction requests to prevent forgery or malicious operations. In addition, the platforms should also implement detailed permission control and monitoring mechanisms to detect and respond to potential security threats in a timely manner to ensure the security and accuracy of transactions and data operations.
(4) Contract upgrade problem
Meme token launchpads often use the proxy mode to facilitate functional upgrades of tokens, so special attention must be paid to the security of the proxy mode. Key measures include: ensuring proxy contracts undergo strict security audits and permission controls to prevent unauthorized escalation. Keep the interface stable by separating logic from data storage. Open upgrade records to notify users of changes. Carry out simulated attack test and design rollback mechanism. These measures help to ensure the security of the agent model and ensure the stability and reliability of the system.
Beosin has previously conducted detailed security audits of several meme token launchpads, including Tokr.fun and Pump404. The audit covers the security of the smart contract code, the correctness of the business logic implementation, gas optimization, the discovery and repair of potential vulnerabilities, etc., to help the project side solve potential risks and ensure that their contract codes meet the highest security standards in the industry.
Summary
Meme token launchpads, through its great functions and mechanisms, significantly reduce the user participation threshold, and provide a relatively safe, fair and efficient trading environment. Users can quickly respond to hot spots and participate in the creation and trading of meme tokens without worrying about liquidity risks. The fair issuance mechanism and anti-fraud measures of the platform ensure the transparency and fairness of transactions, and reduce the possibility of market manipulation and fraud to a certain extent.
However, the safety of the launchpads themselves is equally critical. Whether it is the operational security of the platform or the vulnerability of the contract code, it will affect all tokens issued on the platform. Therefore, special attention must be paid to the security and stability of platform contracts to prevent system vulnerabilities or administrative failures from having a widespread negative impact on tokens. In addition, we advise all users to exercise caution when interacting with meme token launchpads to secure your assets.
