The crypto coin launching platform @pumpdotfun was exploited for ~š¤$1.9M when a šformer employee misused their security privileges (private key compromise) and stole away ~12.3K SOL.
The Hack Flow
To misappropriate funds, the rogue employee used flash loans on a Solana lending protocol to borrow SOL, then bought various coins to inflate their bonding curves to 100%.
After reaching the 100% mark, the exploiter took access to the bonding curve liquidity and repaid flash loans taken earlier.
The Attacker
An account on X, with the handle
@STACCoverflow
claimed responsibility for the attack immediately after the exploit.
He posted that he had intended to redistribute the āremaining balances of bonding curvesā to certain token users rather than keeping the stolen funds.
The account allegedly belongs to a doxxed developer who was previously employed at http://Pump.fun.
The attacker has already conducted random airdrops of $SOL, and multiple addresses have received the windfall of $SOL.
The Hack Aftermath
To contain the hack and prevent further fund loss, trading was halted on http://pump.fun at 17:00 UTC, and
@pumpdotfun
upgraded the contracts so that the attacker could not continue with the exploit.
Post-hack analysis revealed that a total of $45m of liquidity in the bonding curve contracts was at risk, but the exploiter could get hold of only ~$1.9m.
The http://pump.fun team has now successfully redeployed the contracts, and trading has also been unpaused.
The Mitigation
To tackle the FUD surrounding the platform http://pump.fun has decided to offer 0% trading fees for the next 7 days.
The coins that were exploited (and reached the 100% mark on bonding curves) between 15:21 and 17:00 UTC (the duration of the exploit) are currently untradable until LPs are deployed for them on Raydium.
The http://pump.fun team stated that the LPs all such affected coins will be seeded with an equal or greater amount of SOL liquidity that the coin had at 15:21 UTC within the next 24 hours.
Team http://pump.fun is committed to avoid a repeat of such security incidents, and therefore, it is collaborating with blockchain security firms to put a security mechanism in place, which would minimize the risks of similar exploits in future.
Otro con mala seguridad.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit