Former Employee Hacks Pump.fun, Steals $1.9 Million

Pump.fun, a token issuance platform on Solana, has identified a former employee as the perpetrator behind a recent cyber attack, resulting in a loss of $1.9 million. The project has announced a compensation plan for affected users.

Former Employee Hacks Pump.fun, Steals $1.9 Million

Pump.fun announced that a former employee was responsible for the attack on May 16, leading to the theft of approximately 12,300 SOL, equivalent to $1.9 million.

Pump.fun's announcement about the hack. Source: Pump.fun Twitter (16/05/2024)

At 10:21 PM on May 16 (Vietnam time), the former employee gained unauthorized access to pump.fun's withdrawal permissions. They used flash loans through marginfi to purchase memecoins on pump.fun until their prices reached 100% on the bonding curve, allowing them to withdraw funds from liquidity pools to repay the flash loans along with their profits.

By 2:00 AM on May 17 (Vietnam time), all transactions on pump.fun were halted. Only around $1.9 million out of the $45 million in liquidity within the contracts was affected.

Pump.fun quickly paused trading and upgraded its smart contract to prevent further damage. According to the latest announcement, the platform has resumed operations and is now secure.

To compensate affected users, pump.fun will replenish the liquidity pools (LP) for affected tokens with an amount equal to or greater than the lost liquidity within 24 hours. Additionally, the transaction fee will be 0% for the next seven days.

Hacker's Taunt and Further Claims

Under pump.fun's announcement about the hack, the former employee, known on X as “STACCoverflow,” taunted the platform with a tweet saying “Welcome back.”

STACCoverflow's tweet taunting pump.fun. Source: Twitter (16/05/2024)

Prior to this, STACCoverflow posted a series of cryptic tweets targeting pump.fun's leadership.

STACCoverflow's cryptic tweets. Source: Twitter (16/05/2024)

According to STACCoverflow, pump.fun's leadership was indifferent to employees and retained control over users' tokens on the platform. Additionally, the attacker accused the founders of withdrawing $2 million from the project's reserves, nearly matching the amount stolen.

STACCoverflow's accusation. Source: Twitter (16/05/2024)

The hacker claimed that the stolen funds would be used for an airdrop to holders of Slerf, stacc, risklol, and SAGA tokens. One user received an airdrop of 140 SOL to their Saga wallet, which the hacker retweeted.

The hack has also raised suspicions that pump.fun might be facilitating scams for memecoin projects if the meme tokens perform "rug pulls."

While some users condemned the hack, others expressed support for the attacker, viewing them as a whistleblower exposing the project.

Support for STACCoverflow. Source: Twitter (17/05/2024)

The hacker also created their own memecoin on Solana, inspired by the hack and named Flash Stacc Attack (FSA). The token currently has a market cap of about $240,000 with a trading volume of $1.8 million.

15-minute chart of FSA/SOL pair. Source: DEX Screener (17/05/2024, 4:00 PM)

This incident highlights the vulnerabilities within decentralized platforms and the potential for insider threats, emphasizing the need for robust security measures and transparent governance.