Solana’s meme coin marketplace Pump.fun got exploited this Thursday after its bonding curve contracts have been compromised. In an X post, the team behind the platform claimed to have upgraded the contracts so the attacker cannot withdrawl more funds, and paused the trades for all the tokens.The X user identified as “staccoverflow” claimed to be the author, stating that he drained nearly $80 million from Pump.fun. However, Wintermute’s head of research Igor Igamberdiev shared that the exploit drained almost 2,000 SOL, which is roughly equivalent to $300,000.
1/6
It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakage
So let me share evidence of it👇https://t.co/yuuKYkamfZ
— Igor Igamberdiev (@FrankResearcher) May 16, 2024
Igamberdiev explains that the attack started with flash loans, which is a feature that lets investors borrow crypto, execute an interaction with a platform with the funds taken, and pay back to the lender all within the same block.
Staccoverflow used this function to exploit Pump.fun’s model of bonding curve, where tokens traded on the platform have liquidity pools created on the decentralized exchange Raydium after they reach a market cap threshold.Therefore, he took SOL from Solana’s money market MarginFi, used the funds to buy the tokens on Pump.fun until they reached the threshold to go live on Raydium, and then dumped the assets in the same block.However, a Pump.fun-tied wallet is responsible for moving liquidity from the meme coin marketplace to Raydium. This wallet is supposedly compromised, as it was being used to send the liquidity to the exploiter, who used the funds to repay his loan and sent the remaining amount to a random Solana address. Moreover, Wintermute’s head of research doesn’t discard the possibility of an inside job.