A former employee of pump.fun, a tool for creating Solana memecoins, has been accused of exploiting the company and stealing nearly $2 million through a “bonding curve” attack. According to pump.fun, the ex-employee used their privileged access to compromise the protocol’s internal systems and gain control of a withdraw authority. The stolen funds amount to about $1.9 million out of the $45 million held in pump.fun’s bonding curve contracts. Trading on the platform was temporarily halted, but has since resumed. Pump.fun has assured its users that its smart contracts are safe, and those affected by the incident will receive 100% of the liquidity they had within the next 24 hours.
Prior to pump.fun’s announcement, Igor Igamberdiev, the head of research at cryptocurrency market maker Wintermute, suggested that the hack was the result of an internal private key leak by a user named “STACCoverflow.” In a series of mysterious posts, STACCoverflow claimed to be about to change the course of history and seemed unconcerned about the consequences. Pump.fun did not disclose the name of the former employee involved in the attack and has been cooperating with law enforcement.
The alleged exploit involved using flash loans on the Solana lending protocol Raydium to borrow SOL tokens, which were then used to buy as many coins as possible. Once the coins reached 100% on their respective bonding curves, the exploiter could access the bonding curve liquidity and repay the flash loans. The attack took place between 3:21 pm and 5:00 pm UTC on May 16, resulting in the theft of approximately 12,300 SOL, equivalent to $1.9 million. Pump.fun has assured users impacted during this timeframe that they will recover 100% or more of the liquidity they held prior to the attack.