SECURITY

Solana meme coin platform Pump Fun hit by private key theft + flash loan attack

share
Solana meme coin platform Pump Fun hit by private key theft + flash loan attack

The Solana meme coin platform Pump Fun was reportedly hit by a private key theft and attack, resulting in a loss of approximately $1.9 million in assets, according to the team's report. However, the attackers claim that they will airdrop $80 million in assets to holders of meme coins like SAGA?

Background: What is Pump Fun?

With the recent meme coin craze brought about by the Solana ecosystem, there have been many products that assist users in issuing meme coins in a low-threshold manner. Among them, Pump Fun stands out as a leader in this industry, garnering market attention for its emphasis on fair coin distribution and no reserved quota, issuing over a thousand meme coins daily.

Tweets attracted billions of dollars: 27 Solana meme coins raised $122 million in presale frenzy

The product process is as follows: Pump Fun provides users who want to issue meme coins with a user-friendly front-end interface. After users complete the token setup, they begin to raise funds publicly. The fundraising price and the amount of tokens exchanged are calculated according to the bonding curve. If the fundraising reaches a certain amount of $69,000, the contract will automatically deploy liquidity on Raydium to complete the listing.

Pump Fun Hacked

Incident Overview

Last night, a developer claimed to have completed a robbery, obtaining a balance from the bonding curve, allegedly stealing assets from Pump Fun. Pump Fun also publicly acknowledged the incident and immediately suspended trading on the platform. The team has since addressed the issue by removing liquidity from the protocol to eliminate security concerns.

However, the developer seemed very distraught, expressing in a post that the only thing they wanted was for their mother to be reborn, with many negative words mixed in.

A developer claimed on Twitter to have completed the robbery Source

They also mentioned that they would empty about $80 million in assets to holders of meme coins such as SLERT, STACC, SAGA, RISKLOL, acknowledging that their actions might lead Solana to decide to roll back transactions and fork.

Attack Analysis

Several hours later, the Pump Fun team released an investigation report, stating that their contract was secure. The main reason for the attack was the misuse of the private key by a former employee, who used it to grant administrator privileges to drain liquidity from the protocol, resulting in a loss of approximately 12,300 SOL, about $1.9 million.

A former employee used the flash loan feature on the Solana lending protocol to borrow a large amount of SOL tokens to purchase tokens on Pump Fun, causing many tokens' bonding curves to reach 100%. They then illicitly obtained withdrawal permissions using their privileges at the company to remove liquidity from the platform and later repay the loan from the flash loan.

Approximately $45 million in liquidity from the bonding curve contract was affected, with only about $1.9 million impacted.

Team's Follow-up Actions

Currently, the Pump Fun team has redeployed the contract, and the platform has reopened. The team has stated that they will manually compensate for the affected token liquidity and will eliminate platform fees for the next seven days.