Cryptocurrency news

Former Pump.fun Employee Exploits Withdrawal Authority, Causes $1.9M Loss

CryptoPotato / 17.05.2024 / 16:17
Former Pump.fun Employee Exploits Withdrawal Authority, Causes $1.9M Loss

Solana-based meme coin launchpad Pump.fun announced that a former employee used their “privileged position” to access “withdraw authority” and misappropriated around 12,300 SOL, worth approximately $1.9 million at the time.

To prevent further damage, Pump.fun halted trading and updated the contracts.

Flash Loan Exploit

Addressing the exploit, Pump.fun said in an X post that a former employee misused their access to the withdrawal authority, which they had obtained through their previous position within the company.

Utilizing flash loans on a Solana lending protocol, the individual in question borrowed SOL and bought up coins to push them to 100% on their bonding curves. This allowed them to access the bonding curve liquidity and repay the flash loans.

Trading on the platform was halted a few hours later. Out of $45 million in total liquidity, approximately $1.9 million was affected. The Pump.fun team then redeployed the contracts and resumed trading with a 0% fee for the next seven days.

The meme coin creation platform further noted that the tokens that reached 100% during the exploit are currently in limbo and untradeable until liquidity pools are deployed for them on the Solana lending protocol, Raydium. To compensate users, the team said it will replenish the liquidity pools for the affected coins with an equal or greater amount of SOL within the next 24 hours.

“Please bear with us as we aim to resume the trading of these coins in a safe and structured manner. We have been working with some of the most esteemed security folks in the space to not only minimize the impact of the situation, but to ensure that this will never happen in the future.”

Internal Private Key Leak

Before Pump.fun’s announcement, cryptocurrency market maker Wintermute’s head of research, Igor Igamberdiev, attributed the hack to an internal private key leak and suspected X user “STACCoverflow.”

Shortly thereafter X user “Stacc” admitted to executing the exploit, criticizing their “horrible bosses” at Pump.fun, describing them as unsuitable “face of the blockchain” community.

Source
Recently News

© Token Radar 2024. All Rights Reserved.
IMPORTANT DISCLAIMER: All content provided herein our website, hyperlinked sites, associated applications, forums, blogs, social media accounts and other platforms (“Site”) is for your general information only, procured from third party sources. We make no warranties of any kind in relation to our content, including but not limited to accuracy and updatedness. No part of the content that we provide constitutes financial advice, legal advice or any other form of advice meant for your specific reliance for any purpose. Any use or reliance on our content is solely at your own risk and discretion. You should conduct your own research, review, analyse and verify our content before relying on them. Trading is a highly risky activity that can lead to major losses, please therefore consult your financial advisor before making any decision. No content on our Site is meant to be a solicitation or offer.