As reported by Blockworks, Pump.fun was attacked on Thursday, and the attacker appears to have used a flash loan to buy out the bonding curve. Pump.fun said they are "aware" of the contract being compromised and are investigating. "We have upgraded the contract so the attacker can't extract any more funds. The TVL in the protocol is currently safe," the team said. "We have paused trading - you can't buy or sell any coins right now. Any coins that are migrating to Raydium are not tradable and will not be migrated indefinitely."

Igor Igamberdiev, head of research at Wintermute, analyzing the situation in a series of posts, said the key was compromised, "although the possibility of an inside job remains."

Igamberdiev said the amount Pump.fun lost was “at least” 12,000 SOL, or about $2 million.

An account called Stacc appeared to acknowledge the attack in a post, writing "I am about to change the course of history." Stacc seemed to suggest in his post that he did not intend to keep the stolen funds, but instead planned to transfer the "remaining balance of the Bonding Curve" to some token users. It is unclear how Stacc executed the attack or if they are distributing balances to random people.