This week, an important protocol called pump.fun, which has helped fuel the success of the Solana blockchain by facilitating the creation of meme coins was rocked by an insider attack that resulted in $2 million being drained from its coffers.
In a stunning admission, pump.fun revealed that the perpetrator was a former employee who exploited his privileged access to the platform’s systems to carry out the sophisticated heist.
According to statements from pump.fun, the attacker, identified by the pseudonym “STACCoverflow” managed to compromise a “withdraw authority” using his insider knowledge, allowing the developer to siphon approximately $1.9 million from the total $45 million held in pump.fun’s bonding curve contracts.
Insider Takes Advantage of Bonding Curve Mechanism to Siphon the Funds
Details emerging from the incident paint a picture of a meticulously planned and well-executed attack that took advantage of pump.fun’s unique token issuance procedures and listing mechanisms.
By taking advantage of the platform’s flash loans from the Solana-based lending protocol Raydium, STACCoverflow obtained a significant amount of Solana’s native token, SOL, without using their own funds.
The attacker then used these borrowed SOL to rapidly acquire large quantities of newly launched meme coins on pump.fun, pushing the tokens’ bonding curves – smart contracts that create markets without relying on exchanges – to 100%.
This maneuver granted STACCoverflow access to the liquidity intended for listing those coins on the Raydium decentralized exchange (DEX).
Experts estimate that around 12,300 SOL, worth a staggering $1.9 million at the time of the attack, were drained from pump.fun’s bonding curve contracts through this elaborate scheme.
None of these details are particularly surprising or unusual in the crypto space. Unfortunately, hacks like this are rather common. However, this case set itself apart when the hacker started live-tweeting about the hack on a doxxed Twitter account, revealing his crimes for all to see.
Former Employee Named Jarrett is Named as Suspected Perpetrator
The alleged attacker, STACCoverflow, not only claimed responsibility for the exploit but also magnified the impact of his actions.
Through a series of social media posts, the individual expressed a desire to “change the course of history” and a willingness to face potential legal consequences, including imprisonment, for his actions.
And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— jare fomo3ds at gobbler.fun (@STACCoverflow) May 16, 2024
Igor Igamberdiev from the market maker Wintermute revealed that STACCoverflow’s account likely belonged to a former pump.fun employee named Jarrett, whose identity had been previously disclosed online. Even though he probably knew his account had been doxxed, he still Tweeted about the hack.
Jarrett’s posts shed light on his potential motives as he had previously expressed resentment towards pump.fun’s management, whom he described as “horrible bosses.” He went so far as to state that he wanted to “kill” the platform because it had “inadvertently hurt people for a long time.”
The hacker is likely pointing to the gambling-like nature of the pump.fun platform. Most meme coins made on pump.fun are pump and dump scams that go to $0 within minutes, harming everyone who invested in them who didn’t get a chance to sell.
“They were going to kill themselves eventually, the way things were going,” he further stressed.
Robber Claims that He Will Return the Stolen Funds
In a move that has divided the crypto community, Jarrett claimed he would distribute the stolen funds through an airdrop to various Solana communities including holders of Slerf, Stacc, Saga, and Risklol tokens along with non-specified non-fungible tokens (NFTs).
This decision has led some to dub him the “Web3 Robinhood,” drawing comparisons to the infamous figure who robbed from the rich to give to the poor.
While the veracity of Jarrett’s claims remains unconfirmed, his actions have ignited a heated debate within the crypto sphere.
Some have praised his supposed intentions to redistribute the ill-gotten gains while others have condemned the illegality of his methods and the bad precedent that they could set for future attacks.
Pump.fun Waives Trading Fees for 7 Days and Assures That They Will Make Users Whole
https://t.co/uE2QNKXkIT coin migration issue post-mortem
TL;DR:
1. the https://t.co/uE2QNKXkIT contracts are safe. they have always been safe
2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)
3. https://t.co/uE2QNKXkIT is…— pump.fun (@pumpdotfun) May 16, 2024
Even with the major financial setback, pump.fun has shown its strength by quickly taking steps to reduce the damage and rebuild users’ trust in the protocol. The platform has temporarily stopped trading for the pairs impacted by Jarrett’s actions while they investigate the breach and work on getting user funds back.
In a post-mortem statement, pump.fun assured users that its smart contracts remain secure and that those impacted by the incident will receive “100% of the liquidity” that they previously held within the next 24 hours.
The platform has also stated that it is cooperating with law enforcement agencies to minimize the damage caused by the attack and potentially pursue legal action against the perpetrator.
To facilitate the resumption of trading activities, pump.fun has committed to seeding liquidity pools for the affected coins, enabling their listing and trading on the Raydium DEX.
Additionally, the platform has announced a temporary waiver of fees for the next seven days, likely to incentivize users to keep using the platform despite this seemingly temporary setback. These steps are all very positive, and hopefully, all users will soon be made whole. However, pump.fun will no doubt struggle to regain the trust they lost from the attack.
Meme Craze is Plagued with Risks for Unwary Investors
Pump.fun’s rapid rise and subsequent demise highlight the potential pitfalls of the Solana meme coin craze that has captivated the crypto world in recent weeks.
The platform’s unique value proposition – enabling developers to launch meme coins and tokens without the need for seed liquidity, often for just a couple of dollars – fueled a frenzy of speculative activity within the Solana ecosystem.
As tokens exceeding a market cap of $69,000 are automatically eligible for listing on the Raydium DEX, pump.fun quickly established itself as a central hub for meme coin trading and speculation.
However, the platform’s success also attracted scrutiny from industry observers who have been warning about the potential risks associated with the indiscriminate proliferation of these fundamentally worthless assets.
These experts argue that pump.fun and other similar platforms were fanning the flames of the crypto space’s most gambling-like segment and potentially exposing unwary investors to significant losses.
The recent attack on pump.fun has validated some of these concerns as it highlighted the vulnerabilities that result from platforms that handle significant volumes of capital without adequate security measures and internal controls.