Pump.fun halts trading after suffering flash loan exploit
Industry experts, including Wintermute head of research Igor Igamberdiev, suggested that a key had been compromised, raising the possibility of an inside job. He estimated the loss to be at least 12,000 SOL, equivalent to roughly $2 million
A Solana-based DeFi memecoin platform called Pump.fun experienced a significant breach on May 16 when an exploiter apparently utilized flash loans to manipulate the platform's bonding curve contracts. The platform has since paused all trading activities. In a statement on social media, Pump.fun acknowledged the exploit and assured users that the platform is investigating the issue.
The team wrote: "We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe. We've paused trading — you cannot buy and sell any coins at the moment. Any coins that are currently in the process of migrating to Raydium cannot be traded and will not be migrating for an indefinite period of time."
Industry experts, including Wintermute head of research Igor Igamberdiev, suggested that a key had been compromised, raising the possibility of an inside job. He estimated the loss to be at least 12,000 SOL, equivalent to roughly $2 million.
An account on X, identified as STACCoveflow, claimed responsibility for the attack shortly after the exploit broke in the news. Stacc hinted at a larger motive in their posts, stating: "I'm about to change the course of history." He implied that he did not intend to keep the stolen funds but planned to redistribute the "remaining balances of bonding curves" to certain token users. The exact method Stacc used to execute the attack remains unclear, and it is unknown if the balances are indeed being distributed to other users. The account allegedly belongs to a doxxed developer who previously worked on Pump.fun. Additionally, several accounts claimed that Stacc had airdropped the stolen SOL to holders of four different coins.