Solana memecoin creation tool, Pump Fun, suffered a $2 million fund theft by a former employee through a bonding curve attack. In a May 16 X post, Pump Fun claimed the ex-employee used their privileged position to access withdrawal permissions and seize the protocol’s internal systems.
Hack Attack on Memecoin Platform
Approximately $1.9 million was stolen from Pump Fun’s bonding curve contracts, which held a total of $45 million. The platform temporarily halted trading but was operational again at the time of writing. Pump Fun stated that its smart contracts are secure and affected users will receive 100% of their previous liquidity within 24 hours.
Before Pump Fun’s post, Wintermute’s head of research, Igor Igamberdiev, speculated that the hack involved an internal private key leak by X user STACCoverflow. STACCoverflow claimed in a series of encrypted X posts that they were about to change the course of history. Pump Fun had previously stated in an X post that they were cooperating with law enforcement. The team did not name the former employee and did not immediately respond to requests for comment.
Details of the Attack Revealed
According to the Pump Fun team, the alleged attacker used flash loans through the Solana lending protocol Raydium to borrow SOL, which was then used to purchase as many assets as possible. The platform was temporarily shut down following the attack, which continues to draw attention.
When the bond curves in cryptocurrencies reached 100%, the attacker could access bond curve liquidity and repay the flash loans. The Pump Fun team revealed that approximately 12,300 SOL worth $1.9 million was stolen in the May 16 attack. The Solana ecosystem’s memecoin creation and trading platform stated that affected users would recover 100% or more of their pre-attack liquidity.
