Token Issuance Platform Pump.fun on Solana Hacked

The token issuance platform pump.fun on Solana has been hacked, with the attacker draining large amounts of memecoins issued on the platform.

Token Issuance Platform Pump.fun on Solana Hacked

On-chain data confirms that pump.fun was exploited. The vulnerability appears to be tied to the application's bonding curve mechanism.

🚨 Pumpfun might be under attack

This wallet: https://t.co/8QMLisw0uk

Is buying all tokens on Pumpfun within minutes to fill bonding curve to 100%

Raydium listing stuck pic.twitter.com/jGzh9Ds2ym
— Gotbit Hedge Fund (@gotbit_io) May 16, 2024

Pump.fun was exploited, resulting in significant memecoin losses.

Before the attack, the hacker took out a flash loan through marginfi, used the borrowed SOL to exploit the vulnerability in pump.fun, repaid the loan, and walked away with a large haul of memecoins from the platform.

Marginfi posted a tweet clarifying that its platform is operating normally and that the vulnerability was isolated to pump.fun. Marginfi is currently working with pump.fun to help address the issue.

marginfi is ready to help the @pumpdotfun team with their exploit

Reminder: operations on marginfi are normal

Be wary of disinformation. We're available to help the Pump team remedy their situation. pic.twitter.com/9MX64Jxq5u
— marginfi ◼️ (@marginfi) May 16, 2024

Hacker's Bizarre Tweets

Following the attack, the hacker posted a string of erratic tweets from their Twitter account, adding another strange layer to the incident.

And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— 🔥🪂staccoverflow ; j'arrête ; (@STACCoverflow) May 16, 2024

The hacker's erratic tweets after the exploit. Source: Twitter (05/16/2024)

Damage Assessment

A full damage estimate is still unavailable. However, in the hour following the attack, a large number of memecoins were withdrawn from pump.fun to the hacker's wallet address "5Px...2Qx."

According to Igor Igamberdiev, a blockchain researcher at Wintermute, the actual damage is estimated at around $300,000 — far below the $80 million figure that spread across social media.

1/6

It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakage

So let me share evidence of it👇https://t.co/yuuKYkamfZ
— Igor Igamberdiev (@FrankResearcher) May 16, 2024

The crypto community quickly identified the attacker as Jarrett Reginald S Dunn from Nova Scotia, Canada.

The @pumpdotfun exploiter is @STACCoverflow. Who is he?
Jarrett Reginald S Dunn from Nova Scotia Canada. He accidentally leaked his name when he tweeted that he is no longer able to use binance in Canada.https://t.co/a6m5KlzMOg pic.twitter.com/N6MGXVP9bO
— shady (@shady_oak1) May 16, 2024

About Pump.fun

Pump.fun is a platform designed for low-cost token launches. Newly created tokens build momentum through a bonding curve mechanism and, once they hit a sufficient market cap, get listed directly on Raydium. Before the exploit, pump.fun had quickly climbed into the top 10 applications by transaction fee revenue.

Key Highlights:

Flash Loan Exploit: The attacker used a flash loan from marginfi to exploit the bonding curve vulnerability on pump.fun.
Marginfi's Clarification: Marginfi confirmed its platform is secure and is helping pump.fun resolve the issue.
Hacker's Identity: The attacker was identified as Jarrett Reginald S Dunn from Nova Scotia, Canada.
Damage Estimates: Current estimates put losses at around $300,000 — not the $80 million rumored on social media.
Pump.fun's Role: The platform supports low-cost token issuance via a bonding curve mechanism and had been rapidly rising in transaction fee rankings prior to the attack.

This incident underscores the persistent security challenges facing decentralized platforms and the critical need for strong safeguards to protect user funds and platform integrity.