Memecoin dApp Pumpfun Compromised Which Distributed $80 Million To Pumpfun Memes

On May 16, X user STACCoverflow announces a hack on memecoin dApp Pumpfun which compromised up to 12,300 Solana worth up to $2 million. The hacker, a previous employee of Pumpfun.

‍

‍

According to Igor Igamberdiev, Wintermute Head of Research, it appears that a significant security breach has occurred, resulting in a loss of $300,000 and the distribution of up to $80 million worth of $SOL tokens to various pumpfun coins by a hacker. This situation requires immediate attention and action to mitigate the impact and prevent further losses.

‍

5PXxuZ has been identified as Pump’s service account responsible for transferring liquidity from the bonding curve to Raydium. This process typically occurs when an individual completes the final trade and contributes sufficient liquidity to facilitate the deployment of a Raydium pool. This strategic maneuver underscores the ongoing efforts to optimize liquidity within the ecosystem.

‍

After withdrawing all liquidity from Curve, 5PXxuZ then proceeded to add more liquidity to Raydium after a few minutes.

‍

In a series of exploiter transactions, a flash loan of 129 SOL was utilized to purchase tokens, enabling 5PXxuZ to withdraw liquidity from a curve. 

‍

With the increasing popularity of memecoins, many individuals are eager to create their own tokens but often lack the technical expertise required for successful token creation. Pump.Fun offers a solution by allowing non-technical users to easily launch memecoins without significant time or financial investment.

‍

This simplicity makes it an attractive option for casual participants looking to create a token for amusement, as well as for influencers who may prefer not to engage a development team. The platform emphasizes its capability to facilitate the instant tradability of the launched coins without the need to provide initial liquidity.

‍

Further, another liquidity withdrawal was initiated by 5PXxuZ, followed by the return of enough SOL to the exploiter to repay the flash loan. Additionally, there was a donation made to a random account instead of creating a pool on Raydium.

‍

It appears that 5PXxuZ deviated from its typical behavior, serving as the cosigner for all exploitative transactions. This strongly suggests a compromised key, although the potential for an inside job cannot be discounted.

‍

Pump.Fun provides a user-friendly solution for non-technical individuals seeking to launch memecoins without extensive time or financial investment. This simplicity makes it an appealing option for casual participants looking to create a token for amusement, as well as for influencers who prefer not to engage a development team. The platform's key selling point is its capability to instantly launch a tradeable coin without the need to provide initial liquidity.

‍

— UPDATE AS OF 22:30 UTC —

‍

According to Pump.fun — At 15:21 UTC, a former employee used their privileged access to the company's withdrawal authority to execute flash loans on a Solana lending protocol.

‍

The user uses SOL to acquire as many coins as possible, ensuring that these coins reach 100% on their respective bonding curves. Once this milestone is achieved, the user can access the bonding curve liquidity and repay any flash loans. 

‍

It's crucial to note that all trading activities involving coins that completed their bonding curve between 16th May 15:21 UTC and 17:00 UTC are currently in a state of uncertainty and will be migrated to Raydium within 24 hours. Out of a total of $45m of liquidity in the bonding curve contracts, only approximately $1.9m was impacted.

‍

Further, the team has successfully redeployed the contracts, and trading is now live with 0% trading fees for the next 7 days. Users can confidently create coins and engage in buying and selling activities. However, it's important to note that coins that reached 100% between 15:21-17:00 UTC are currently in limbo, which means that no trading can take place until liquidity providers (LPs) are deployed for them on Raydium.

‍

The pump.fun team is committed to restoring the liquidity pools for each affected coin by providing an equal or greater amount of SOL liquidity than the coin had at 15:21 UTC within the next 24 hours. The team has collaborated with highly respected security experts to not only mitigate the current situation but also to prevent such incidents from occurring in the future.

‍