Token Issuance Platform Pump.fun on Solana Hacked
The token issuance platform pump.fun on Solana has been hacked, resulting in numerous memecoins issued from the platform being siphoned by the hacker.
Token Issuance Platform Pump.fun on Solana Hacked
On-chain information reveals that the token issuance platform pump.fun has been attacked. The exploited vulnerability appears to be related to the bonding curve mechanism of the application.
🚨 Pumpfun might be under attack
— Gotbit Hedge Fund (@gotbit_io) May 16, 2024
This wallet: https://t.co/8QMLisw0uk
Is buying all tokens on Pumpfun within minutes to fill bonding curve to 100%
Raydium listing stuck pic.twitter.com/jGzh9Ds2ym
Pump.fun platform was hacked, leading to significant memecoin losses.
Prior to the attack, the hacker executed a flash loan via marginfi, using the borrowed SOL to exploit the vulnerability in pump.fun, subsequently repaying the loan and extracting a large amount of memecoins from the platform.
Marginfi also posted a tweet clarifying that its platform remains operational, and the vulnerability was isolated to pump.fun's product. Marginfi is currently assisting pump.fun in addressing the issue.
marginfi is ready to help the @pumpdotfun team with their exploit
— marginfi ◼️ (@marginfi) May 16, 2024
Reminder: operations on marginfi are normal
Be wary of disinformation. We're available to help the Pump team remedy their situation. pic.twitter.com/9MX64Jxq5u
Hacker's Bizarre Tweets
After the attack, the hacker posted a series of cryptic tweets on their Twitter account, further complicating the situation.
And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
— 🔥🪂staccoverflow ; j'arrête ; (@STACCoverflow) May 16, 2024
Hacker's cryptic tweets post-attack. Source: Twitter (16/05/2024)
Damage Assessment
As of now, there is no detailed damage assessment from the attack. However, within the past hour, many types of memecoins have been withdrawn from pump.fun to the hacker's wallet address "5Px...2Qx."
According to blockchain researcher Igor Igamberdiev from Wintermute, the estimated damage from the attack is around $300,000, contrary to the $80 million figure circulating on social media.
1/6
— Igor Igamberdiev (@FrankResearcher) May 16, 2024
It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakage
So let me share evidence of it👇https://t.co/yuuKYkamfZ
The crypto community quickly identified the attacker as Jarrett Reginald S Dunn from Nova Scotia, Canada.
The @pumpdotfun exploiter is @STACCoverflow. Who is he?
— shady (@shady_oak1) May 16, 2024
Jarrett Reginald S Dunn from Nova Scotia Canada. He accidentally leaked his name when he tweeted that he is no longer able to use binance in Canada.https://t.co/a6m5KlzMOg pic.twitter.com/N6MGXVP9bO
About Pump.fun
Pump.fun is a platform that supports low-cost token deployment. Newly created tokens need to attract users through a bonding curve mechanism and, upon reaching sufficient market capitalization, are directly listed on Raydium. Before the attack, pump.fun had rapidly gained a position among the top 10 applications generating the highest transaction fees.
Key Highlights:
- Flash Loan Exploit: The hacker used a flash loan from marginfi to exploit the bonding curve vulnerability on pump.fun.
- Marginfi's Clarification: Marginfi confirmed their platform is secure and is aiding pump.fun in resolving the issue.
- Hacker's Identity: The attacker was identified as Jarrett Reginald S Dunn from Nova Scotia, Canada.
- Damage Estimates: Initial estimates suggest a loss of around $300,000, not the $80 million rumored on social media.
- Pump.fun's Role: The platform supports low-cost token issuance with a bonding curve mechanism, quickly rising in transaction fee rankings before the attack.
This incident highlights the ongoing security challenges faced by decentralized platforms and the need for robust security measures to protect user funds and platform integrity.
