Former Pump.fun Employee Arrested in $1.9M SOL Exploit
Pump.fun, a popular platform for launching meme coins on Solana, has named a former employee as the person responsible for a recent exploit. The hack resulted in the theft of 12,300 SOL, worth about $1.9 million at the time of the attack.
In a report posted on X (formerly Twitter), Pump.fun said the ex-employee had gained unauthorized access to the withdraw authority. The employee then used flash loans, which are loans that must be paid back within the same blockchain block, to borrow a large amount of SOL from a Solana-based lending protocol.
The former employee used the borrowed SOL to buy many coins on Pump.fun. This caused the prices of these coins to hit their maximum on the platform's bonding curves. Bonding curves set a coin's price based on its current supply, so prices go up as more coins are bought.
Once the coins reached their highest prices, the hacker was able to access the money that was locked in these bonding curves. This money was the pooled funds that supported the trading and stability of the affected coins.
Pump.fun stopped all trading by 17:00 UTC to prevent more damage. The platform said that out of the $45 million total in the bonding curve contracts, only about $1.9 million was affected. Pump.fun promised to compensate affected users by adding the same amount or more of SOL liquidity to each impacted coin's pool within 24 hours.
After the hack, British police in London arrested a person thought to be behind the attack, as shared by user @therollupco on X. The suspected attacker, known as @STACCoverflow and possibly named Jarett Reginald Dunn, was later released on bail.
The hacker had redirected funds meant for the Solana decentralized exchange Raydium to different wallet addresses. This was discovered by analysts who looked at the transactions on the blockchain.
Pump.fun, which has made $22 million in revenue since it started in January, has put its contracts back in place and restarted trading. To rebuild trust with users, the platform is offering 0% trading fees for the next seven days.
Pump.fun is designed to prevent rug pulls and ensure fair token launches without presales or team allocations. Despite the recent hack, it remains the second-biggest revenue-generating platform in DeFi, behind only the Ethereum Network.
The platform is working to restore trust and stability after the incident, while authorities continue to investigate the alleged attacker's role in the breach.