Memecoin startup pump.fun claims ex-employee behind $1.9M exploit

Solana memecoin creation tool pump.fun A former employee claims the company was defrauded of nearly $2 million in the “Bonding Curve” attack.

The ex-employee was sued in a May 16 X post on Pam.Fun for using “privileges” to obtain “removal authority” and to compromise the protocol's internal systems.

Of the total $45 million held in Pump.fun Bonding Curve contracts, $1.9 million was stolen.

The platform has temporarily stopped trading but is now back up and running.

pump.fun's smart contracts are “safe” and affected users will receive “100% liquidation” within the next 24 hours, according to pump.fun.

Prior to Pump.fun's post, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermut, said the hack came from an internal private key leak, which he suspected was user X's “STACCoverflow”.

In a series of Secret X posts, STACCoverflow said, “You're going to change the course of history. n [sic] Then he rots in prison. “I don't care, I'm totally doxxed already,” he added in a separate post.

Related: Solana memecoin hits massive $328T market cap – for all the wrong reasons

In an earlier X post, pump.fun was cooperating with law enforcement. He did not name the former employee and did not immediately respond to a request for comment.

How the hack was opened

The alleged exploiter used flash loans on Solana's lending protocol, Radium, to borrow Solana (SOL), which will be used to buy as many coins as possible, according to pump.fun.

Once the coins reach 100% on their respective bonding curves, the exploiter can access the liquidation of the bonding curve and return the flash loans.

Approximately 12,300 SOL, worth $1.9 million, were stolen in the attack, which pump.fun sai said took place between 3:21 PM and 5:00 PM UTC on May 16.

The Solana memecoin launch pad claims that between these hours affected users will regain 100% or more of their pre-attack liquidity.

Magazine: 1 in 6 new Base meme coins are scams, 91% vulnerability