Solana meme coin platform Pump Fun has reportedly been hacked and had its private keys stolen. According to the team’s report, the attack resulted in a loss of approximately $1.9 million in assets. However, the attacker has claimed that they will airdrop $80 million worth of assets to holders of meme coins such as SAGA.
Background: What is Pump Fun?
Pump Fun is a prominent player in the industry that has emerged with the recent craze for meme coins in the Solana ecosystem. It offers a low-threshold way for users to issue meme coins, gaining market attention due to its focus on fair issuance and absence of reserved quotas. It currently issues over a thousand types of meme coins daily.
Product Process: Pump Fun provides users with a user-friendly frontend interface for issuing meme coins. After users complete the token configuration, they can start raising funds externally. The fundraising price and the quantity of tokens exchanged are calculated based on a bonding curve. If the fundraising reaches a certain amount of $69,000, the contract will automatically deploy liquidity on Raydium for listing.
Pump Fun Hacked
Yesterday evening, a developer claimed to have completed the heist and obtained a balance from the bonding curve, allegedly stealing Pump Fun’s assets. Pump Fun has publicly acknowledged the incident and suspended trading on the platform. The team has since taken measures to eliminate security concerns regarding the protocol’s liquidity.
The developer seems to be in a very low emotional state, expressing in a post that the only thing they want is for their mother to be reborn, with many negative words mixed in.
The developer also stated that they will airdrop approximately $80 million worth of assets to holders of meme coins such as SLERT, STACC, SAGA, and RISKLOL. They believe that this action may lead to Solana deciding to roll back transactions and fork.
Attack Analysis
A few hours later, the Pump Fun team released an investigation report stating that their contract is secure. The main cause of this attack was the former employee taking advantage of the private key and using administrator privileges to remove liquidity from the protocol, resulting in a loss of approximately 12,300 SOL ($1.9 million).
The former employee used the flash loan feature on Solana’s lending protocol to borrow a large amount of SOL tokens and purchase tokens on Pump Fun, causing the bonding curve of many tokens to reach 100%. They then illegally obtained withdrawal permissions using their privileges at the company to withdraw liquidity from the platform. Only approximately $1.9 million out of the $45 million liquidity in the bonding curve contract was affected.
Team’s Follow-up Actions
The Pump Fun team has redeployed the contract, and the platform has reopened. They have stated that they will manually compensate for the affected token liquidity and eliminate platform fees for the next seven days.
Pump Fun, SOL, Solana, meme coins, flash loan, flash loan attack.