According to CryptoPotato, Pump.fun, a Solana-based meme coin launchpad, has reported a misappropriation of approximately 12,300 SOL, equivalent to around $1.9 million. The company stated that a former employee exploited their privileged position to gain withdrawal authority and commit the act. To mitigate further losses, Pump.fun suspended trading and updated its contracts.
The former employee reportedly used flash loans on a Solana lending protocol to borrow SOL and purchase coins, pushing them to 100% on their bonding curves. This action enabled them to access the bonding curve liquidity and repay the flash loans. Trading on the platform was halted a few hours later. Out of the total liquidity of $45 million, about $1.9 million was affected.
In response to the incident, the Pump.fun team redeployed the contracts and resumed trading with a 0% fee for the next seven days. The platform also noted that the tokens that reached 100% during the exploit are currently untradeable until liquidity pools are deployed for them on the Solana lending protocol, Raydium. To compensate users, the team plans to replenish the liquidity pools for the affected coins with an equal or greater amount of SOL within the next 24 hours.
Prior to Pump.fun’s announcement, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, attributed the hack to an internal private key leak and suspected a user named 'STACCoverflow'. Shortly after, a user named 'Stacc' admitted to executing the exploit, criticizing their former employers at Pump.fun.