The attacker utilized flash loans to manipulate the bonding curve contracts, causing financial harm.
An exploit on Pump.Fun, a Solana-based platform for token launches resulted in losses of about $2 million. The attacker used flash loans to the platform’s bonding curve contracts to undermine the token launch method.
Exploitation of Pump.fun Bonding Curve
With the assistance of flash loans, the attacker took advantage of the bonding curve contracts that Pump.Fun offers. Flash loans are a mechanism that allows borrowers to borrow large amounts of money without providing any collateral in exchange for returning the money in a single transaction.
By taking advantage of these flash loans, the attacker was able to collect sufficient SOL to buy out the bonding curves for Pump.fun memecoins, which resulted in financial losses for the site.
According to Igor Igamberdiev, head of research at Wintermute, the company lost almost $2 million worth of SOL, which is equivalent to nearly 12,300 SOL.
As a result, Pump.fun admitted the breach in a social media post on X (which was then known as Twitter). The post stated, “In addition, the team assured users that they had updated their contracts to prevent further exploitation and that TVL and connected wallets remain safe.
“We know that the Pump.fun bonding curve contracts have been compromised, and we are investigating the matter.”
Flash Loan Security Measures and Trading Suspension
“The team has put all trading activity on the Pump.fun platform on hold as a precautionary measure in response to the flash loan attack. The team emphasized that the issue does not affect the securely encrypted liquidity on Raydium, ensuring complete safety.
“We have stopped trading — you cannot buy and sell any coins. Any coins that are currently in the process of migrating to Raydium will not be able to be traded and they won’t for an indefinite period.”
As part of the investigation into the breach, the Pump.fun team is working with law enforcement and other parties to determine who was responsible.
Although this is merely a speculative theory, the event has sparked a discussion regarding whether or not a private key compromise could have been the cause of the incident.
Flash Loan Attacker Identified as ‘Stacc’
Considering the execution of the exploit, Igamberdiev proposed the possibility of an inside job.”Stacc,” a social media user, has claimed to be the perpetrator of the exploit.
Stacc portrayed the assault as an act of protest rather than a tactic to gain money in a series of posts that he published on his Instagram account.
He made a passing reference to his problems and the fact that he had recently lost his mother, which led one to infer that the reason he acted was because he was experiencing emotional turmoil.
The fact that he wrote, “I’m going to be the one that will change the course of history,” demonstrates his ambition to cause a disruption in the memecoin arena on Solana.
Stacc has a number of different goals in mind. He had no intention of using the stolen funds for any financial gain. On the other side, he suggested transferring the remaining balances of the bonding curve to a variety of token users.
Overview of Pump.fun’s Operations
The lack of clarity regarding the location and method for finding and retrieving such assets has exacerbated the situation. We created Fun to enhance transparency in the process of creating and issuing new tokens on the Solana blockchain.
The platform’s unique feature eliminates the possibility of “rug pulls” by ensuring the security of all generated tokens, without requiring a presale or team allocation as a prerequisite.
For a nominal cost, users have the ability to mint new tokens and then trade them on the bonding curve, which is a mechanism that establishes the price of the token based on the supply of the token.
The platform has gained a lot of popularity, and on May 14, just two days before the exploit, it recorded the biggest day revenue ever, which was $1.23 million.
Users of Pump.Fun are required to pay about 0.02 SOL, which is equivalent to approximately $3.16 at the current price, in order to generate a new token.
After reaching a market cap of $69,000, tokens are then put onto Raydium, a decentralized exchange located in Solana with a total liquidity of $12,000. This happens before the tokens undergo destruction.