Ex-Employee Drains $2 Million from Pump.fun Using Flash Loans; Platform Recovers

Pump.fun, a Solana-based platform for launching tokens, has suffered a major security breach, losing approximately $2 million. The attacker exploited the platform’s bonding curve contracts using flash loans, disrupting Pump.fun’s token launch mechanism.

Flash loans let users borrow large amounts without collateral, as long as the funds are returned within the same transaction. The attacker used this method to acquire enough SOL to buy out the bonding curves for the meme coins on Pump.fun, causing substantial financial losses.

Here’s more about it.

Jumping Into Action

Following the attack, Pump.fun halted all trading activities on the platform. The team announced:

“We have stopped trading — you cannot buy and sell any coins. Any coins currently migrating to Raydium will not be able to be traded for an indefinite period.”

Despite the setback, they assured users that encrypted liquidity on Raydium was safe and unaffected. They also updated Pump.fun’s contracts to prevent further exploitation.

Insider Betrayal?

The wallet address of the exploiter was identified as 7ihN8QaTfNoDTRTQGULCzbUT3PHwPDTu5Brcu4iT2paP. Initially, an unidentified user named ‘Stacc’ claimed responsibility for the attack, describing it as a protest rather than a financial gain.

Later, the attacker was revealed to be a former employee named Jarrett, known as STACCOverflow. Dissatisfied with the company, Jarrett aimed to disrupt the platform. He criticized Pump.fun on social media, declared his intent to change the course of history, and expressed no fear of imprisonment. Jarrett planned to distribute the stolen funds via an airdrop, earning him the nickname “Web3 Robinhood.”

On the Path to Recovery

Pump.fun assured users that their contracts had always been safe, attributing the attack to a former employee misusing their position. The platform is now back online, allowing users to launch new coins and trade any coins that didn’t reach 100% between 15:21 and 17:00 UTC.

Coins that reached 100% during this period will be relaunched on Raydium with at least 100% of their liquidity within the next 24 hours. Additionally, trading fees have been reduced to 0% for the next seven days.

The Focus – Stronger Defences!

The Pump.fun team is working with top security experts to minimize the impact of this incident and prevent future occurrences. They expressed gratitude to their community for their trust and support during this challenging time, stating, “Solana shitcoins are back and greater than ever.”

Pump.fun is committed to learning from this incident and emerging stronger, ensuring a safer and more secure platform for its users.

Meanwhile, here’s your guide to staying safe with DeFi: Learn DeFi and Take Control of Your Finances