Ex-Employee Manipulates Bonding Curves to Hack Pump.fun for $1.9M
The attacker used service accounts to drain the project’s bonding curve contracts. The platform quickly restored its services and promised to reimburse affected users.
Trading
Meme-coin launcher Pump.fun has experienced a significant security breach, resulting in a $1.9 million loss. According to the project’s post-mortem report, the attacker was a former employee who exploited his privileged position to compromise the project’s rules. In response to the incident, Pump.fun temporarily paused trading on the protocol but has since resumed operations and pledged to compensate all affected users.
Pump.fun is a seed-level meme-coin launch website. Any user can list a Solana and Blast-based meme-coin and pump up its price. The price is governed by an automatic smart contract, a bonding curve, where a new buyer gets the token at a higher price than the previous one. Such a design is a perfect match for a pump project since as demand increases, so does the price, rewarding early investors. If a project manages to get its token to 100% pump milestone (raise investment of around $69,000 for Solana or $420,000 for Blast), Pump.fun automatically transfers the token to a popular DEX, effectively completing the launch.
The attack is believed to have been performed with the use of a compromised private key. Leveraging flash loans, the former employee invested in several listed projects and pushed them to 100% on their respective bonding curves. Once the coins hit 100%, he illegitimately accessed the project’s smart contracts and drained the collected funds that were meant to be migrated to DEX.
💡
Flash loans are a type of uncollateralized loan available in the cryptocurrency world, particularly on DeFi platforms. They allow users to borrow large sums of money without providing any security as long as the loan is repaid within the same transaction block. If the borrower fails to repay the loan within this time frame, the transaction is reversed, and the loan is effectively canceled. Flash loans are often used for arbitrage opportunities, refinancing, or exploiting price discrepancies across different platforms.
In the wake of the attack, the former employee took to X (formerly Twitter), posting erratically and stating that he was not afraid of imprisonment and was aware his identity had been revealed. He claimed to have worked at Pump.fun for only a few weeks and developed strong grievances against the company’s management. Interestingly, he claimed he had no intention of keeping the stolen funds and pledged to burn the money. He even began airdropping sums to users who commented on his tweets.
The motivation behind his erratic post-attack behavior remains unclear—whether it stemmed from personal revenge or an unsuccessful hack. Given that he has been doxxed and revealed to be Canadian, it is highly likely he will face legal consequences.
Despite the breach, Pump.fun continues to thrive as one of the most profitable decentralized applications (dApps) within the crypto space. Fueled by a memecoin frenzy, the platform has gained enormous popularity over the past month and now accounts for over 80% of Solana token launches. It generates hundreds of thousands, sometimes millions in daily fees, occasionally even surpassing Solana itself.
While the hack temporarily disrupted operations, it is unlikely to have a long-term impact on Pump.fun’s profitability. The memecoin craze shows no signs of slowing down, and the platform is expected to continue its upward trajectory.
Members Discussion