Solana meme coin platform Pump Fun falls victim to private key theft and flash loan attack
Solana meme coin platform Pump Fun has reportedly been hacked and had its private keys stolen. According to the team’s report, the attack resulted in a loss of approximately $1.9 million in assets. However, the attacker claims to be airdropping $80 million worth of assets to meme coin holders such as SAGA.
Background: What is Pump Fun?
Pump Fun is one of the leading products in the industry that assists users in issuing meme coins in a low-threshold manner. It has gained market attention for its emphasis on fair issuance and no reserved quotas, issuing over a thousand types of meme coins daily.
Product process: Pump Fun provides users with a user-friendly front-end interface for issuing meme coins. After users complete token configuration, they start fundraising, with the fundraising price and the exchange token quantity calculated based on the bonding curve. If the fundraising reaches a certain amount of $69,000, the contract will automatically deploy liquidity on Raydium for listing.
Yesterday evening, a developer claimed to have completed the robbery and obtained a balance from the bonding curve, allegedly stealing Pump Fun’s assets. Pump Fun also publicly acknowledged the incident and temporarily suspended trading on the platform. The team has since processed the situation and stated that liquidity on the protocol has been eliminated to address security concerns.
However, the developer seems to be in a very low emotional state, expressing the only thing they desire is for their mother to be reborn and using many negative words in their post.
The developer also stated that they will airdrop approximately $80 million worth of assets to holders of meme coins such as SLERT, STACC, SAGA, and RISKLOL, and they believe this action may lead Solana to rollback transactions and fork.
A few hours later, the Pump Fun team released an investigation report, stating that their contract is secure and the attack was mainly due to a former employee utilizing the private key to withdraw liquidity by exploiting administrator permissions in the protocol. The loss amounted to approximately 12,300 SOL (about $1.9 million).
The former employee used the flash loan feature on the Solana lending protocol to borrow a large amount of SOL tokens and purchase tokens on Pump Fun, causing the bonding curve of many tokens to reach 100%. They then illegally obtained withdrawal permissions using their privileges at the company and withdrew liquidity from the platform, finally repaying the flash loan.
Only about $1.9 million of the $45 million liquidity in the bonding curve contract was affected.
Currently, the Pump Fun team has redeployed the contract, and the platform has reopened. The team has stated that they will manually compensate for the affected token liquidity and eliminate platform fees in the next seven days.
Pump Fun
SOL
Solana
Meme coin
Flash loan
Flash loan attack