The Solana-based memecoin platform has become a favored venue for token launches in recent weeks.
Memecoin launchpad Pump.Fun was exploited today.
A minimum of 12,300 SOL, worth roughly $2 million, was stolen during the hack, which leveraged flashloans to withdraw funds from the platform.
The Pump.Fun team managed to upgrade their contracts and thwart the attacker from doing any additional damage. They have stated that all user-wallets connected to the dApp are safe, and any existing tokens that are burned to the Raydium decentralized exchange are secure.
Pump.Fun enables non-technical users to launch memecoins without spending much time or money. The platform has enabled the launch of hundreds of tokens on Blast and Solana, and made over $10 million of revenue last month, according to data by DeFiLlama.
Private Key Compromise
Throughout the attack, Pump.Fun’s service account acted as a cosigner of all of the exploiter’s transactions, leading analysts to believe a private key compromise allowed the malicious flashloan exploit to take place.
Flashloans are instantaneous loans that are meant to be borrowed and repaid within a single blockchain block. They are often used for arbitrage, collateral swaps, or liquidations. In this particular instance the exploiter used MarginFi’s flashloan services.
When a token fills its bonding curve on Pump.Fun, the service account is meant to burn the bonding curve liquidity to Raydium and allow the token to begin trading on the open market.
By accessing the service account via the compromised key, the hacker was able to withdraw the liquidity that is meant to be migrated to Raydium, use it to repay the flashloan, and also donate leftover funds to holders of various Solana tokens.
Trading on Pump.Fun is currently disabled, and any tokens that were manipulated to migrate to Raydium via the exploit will not be migrating for an indefinite period of time.
Read More: thedefiant.io