Solana-based meme coin generating platform Pump.fun fell victim to a flash loan attack exploit on Thursday. The hacker ‘Stacc’ supposedly deceived the bonding curves into accepting SOL tokens that he had borrowed via the flash loan. The transactions passed through, but the bonding curves were being filled up with non-legitimate SOL. Essentially, Stacc was able to get away by keeping the tokens without actually having to pay for them.
While admitting to the “robbery” on X, Stacc did open up about his messed up mental health. He further revealed that he just wanted his mother to be raised from the dead. Stacc was also critical of the people currently running the show in the industry. He asserted that the people who “insist on custody of user funds are not the types of people we want hodling any more of your millions.”
The exploiter doesn’t seem to want to make gains from this incident. He posted on X that he will be sending the bonding curve balances via airdrops to people. He cautioned,
“This ~80m airdrop may cause a solana fork n it may cause an awful lot of sourpuss rich kids everywhere but it certainly stops the evil here.”
Preliminary investigations revealed that a private key leakage instigated the exploit. Igor Igamberdiev, the Head of Research at Wintermute, and Mert Mumtaz, the CEO of Helius Labs, affirmed that the program key was compromised and that’s what led to the attack. The amount compromised, however, stood only around $2 million. The story was still developing at press time.
The Pump.fun team revealed that they were looking into the exploit and carrying out investigations. Alongside, they also paused trading and halted migration for an indefinite period of time. The team further added,
“We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.“
Users Create New Meme Coins About the Exploit
Pump.fun’s mechanics are a no-brainer. It allows users to mint tokens for just a couple of dollars. After the market capitalization of any token touches $69,000, $12,000 liquidity is deposited to the Solana-based exchange Raydium and burned. Last month, the project also integrated Blast and Base support. So far, more than 572k transactions have been deployed on Pump.fun, and the protocol has earned around 146k SOL from them. In fact, its daily revenue also peaked earlier this week.
The project uses an in-built safety mechanism to prevent rugs. According to the website, “Pump prevents rugs by making sure that all created tokens are safe. Each coin on Pump is a fair launch with no pre-sale and no team allocation.”
Several users have already created a bunch of meme coins about the exploit. Their market cap ranged in the 4k to 12k bracket at press time.
