- Pump.fun claims a former employee used the site to steal $1.9 million using a bonding curve attack.
- The platform temporarily halted trading but restarted, promising users complete liquidity recovery.
- According to pump.fun, affected customers will receive “100% of the liquidity” they previously possessed within the following 24 hours.
Pump.fun, a Solana memecoin startup tool, revealed that a former employee used the protocol for roughly $2 million in a “bonding curve” assault. The platform added that he committed a security breach by gaining unauthorized access to the withdrawal authority and carrying out flash loan assaults.
Pump.fun claimed that the smart contracts “are safe,” and that anyone affected by the event would recover “100% of the liquidity” that they previously had within the next 24 hours.
Wintermute’s research chief, Igor Igamberdiev stated that an internal private key leak might have caused the vulnerability. The SOL loss was around 2,000 tokens valued at more than $300,000. Pump.fun has been working with law enforcement but has not revealed the former employee’s identity.
Pump.fun halted trading around two hours after word of the exploit broke on social media, prohibiting the purchase and selling of any cryptocurrency. The team also stated that it modified contracts to prevent the attacker from siphoning further cash.
A hacker stole about 12,300 Solana tokens (SOL) worth $1.9 million from pump.fun’s meme coins via flash loans using the Solana lending protocol Raydium. The attacker then used bonding curve liquidity to repay the debts. Gotbit Hedge Fund was the first to disclose the assault, which saw a wallet acquire all tokens on pump.fun within minutes.
Pump.fun has not identified the former employee who allegedly exploited the coin factory, but some users argue that the team should have prevented the breach. One user suggested that the former employee should have removed their access after leaving. Another user inquired about developing a “multi-facet” security system and the team’s security areas.
This isn’t the only recent attack; Sonne Finance’s lending protocol was hacked for $20 million. Since the beginning of the year, the cryptocurrency business has seen many hacking events, including a week in which hackers and fraudsters stole over $71 million. However, internal security concerns, such as the Pump.fun vulnerability, have proven uncommon.