Memecoins
Memecoin Launchpad Pump.Fun Loses Nearly $2 Million in Exploits
The Solana-based memecoin platform has become a prime location for token launches in recent weeks.
The Memecoin Pump.Fun launchpad was exploited Today.
At least 12,300 SOLs, worth around $2 million, were stolen during the hack, using flash loans to withdraw funds from the platform.
The Pump.Fun team did it update their contracts and prevent the attacker from doing further damage. They stated that all user wallets connected to the dApp are safe and that all existing tokens burned on the Raydium decentralized exchange are safe.
Pump.Fun allows non-technical users to launch memecoins without spending much time or money. According to data from DeFiLlama, the platform has launched hundreds of tokens on Blast and Solana and made over $10 million in revenue last month.
Private key compromise
During the attack, Pump.Fun’s service account acted as a co-signer on all of the exploiter’s transactions, leading analysts to believe that a compromise of the private key enabled the malicious flashloan exploit.
Flashloans are instant loans intended to be borrowed and repaid within a single blockchain block. They are often used for arbitrage, collateral swaps or liquidations. In this particular case the exploiter used MarginFi’s flash loan services.
When a token fills its bond curve on Pump.Fun, the servicing account is intended to burn off the liquidity of the bond curve on Raydium and allow the token to begin trading on the open market.
By accessing the service’s account via the compromised key, the hacker managed to withdraw the liquidity that should be migrated to Raydium, use it to repay the flash loan, and also donate the remaining funds to holders of various Solana tokens.
Trading on Pump.Fun is currently disabled and any tokens that have been manipulated to migrate to Raydium via the exploit will not be migrated for an indefinite period of time.