Pump.fun’s $1.9 million attacker claims exploit was about sending a message
Each day, Coinrule will run through the state of the digital assets market for Blockbeat, your home for news, analysis, opinion and commentary on blockchain and digital assets.
So far this cycle, meme tokens have played an outsized role compared to previous cycles. They have not only provided some of the best returns, but have also been one of the biggest drivers of network activity on chains such as Solana and Base. For Solana, the meme token creator Pump.fun has exacerbated this surge in meme token activity. However, as always with crypto, wherever there is success, exploiters are not far behind. However, this time it seems it was about sending a message rather than purely an exploit.
Pump was created to make meme tokens safer, or “rug free.” It does this by eliminating token creators’ access to liquidity pools, and removes the need for presales and team allocations. Additionally, it makes token creation easier – taking as little as 30 seconds and costing 0.02 Sol ($~3.50). Once launched on the protocol, a token trades on a bonding curve that sets its price. When demand pushes the token’s market cap above $69,000, it then launches onto the decentralised exchange, Raydium. Pump captures this initial fee and a 1% fee on trades placed on the bonding curve. Last week was its best yet, with over $4.1 million of revenue generated, according to DefiLlama. This made it crypto’s fourth highest revenue generator following Solana itself in third.
Last Thursday, a former employee who still had admin privileges exploited Pump for $1.9 million. The exploiter, known as “Stacc,” used a flash loan, which requires no upfront collateral, to access funds. They then used these funds to buy up Pump tokens’ bonding curves. Then they used the admin privileges to access and drain the liquidity of these tokens and repay the loan.This resulted in anyone who had purchased before the exploiter essentially experiencing a “rug-pull,” or losing all their money. Interestingly the exploiter didn’t keep these funds for themselves and seemed to do it to send a message of their negative experience working at and their opinion of Pump. Instead, they airdropped the stolen Solana to a selection of random wallets. “Stacc” now claims they have been arrested and are in hospital in London.
To compensate affected users, the Pump team will provide liquidity for the affected tokens with an equal or greater amount of SOL than they had pre-exploit. Additionally, the platform has removed trading fees for 7 days following the incident.
The irony of the incident was that after trading resumed, Pump was used to create tokens about the protocol’s own exploit. Talk about a protocol’s utility.