Platform Exploited by Former Employee

Solana-based meme coin launchpad Pump.fun faced a significant exploit On May 16, at 15:21 UTC.

The incident involved a former employee who misappropriated approximately 12,300 SOL, valued at around $1.9 million at the time. The platform revealed these details in a post-mortem posted on X.

The former employee, identified as Jarrett, better known by the pseudonym STACCOverflow, had illegitimately taken access to the withdrawal authority using their privileged position.

Jarrett used flash loans from Margin.fi to borrow SOL and buy out meme coins, pushing their bonding curves to 100%. This allowed the exploiter to gain liquidity to repay the flash loans, severely affecting the platform.

Trading Halted and Security Measures

By 17:00 UTC, all trading on Pump.fun was halted. Only $1.9 million of the $45 million in liquidity within the bonding curve contracts was affected. The platform paused trading and upgraded its contracts to prevent further damage. It assured users that the smart contracts were safe and that the platform was back live.

Compensation Plan

To compensate users affected by the exploit, Pump.fun announced plans to seed the liquidity pools (LPs) for each affected coin with an equal or more significant amount of SOL liquidity than the coin had at 15:21 UTC within the next 24 hours. Additionally, trading fees were set to 0% for the next seven days to aid recovery.

"Coins that reached 100% between 15:21 - 17:00 UTC are in limbo," the platform stated. "No one can trade them until LPs are deployed for them on Raydium."

Former Employee's Motive

Jarrett, the former employee behind the exploit, expressed dissatisfaction with the company on social media.

He wrote, "The kind of horrible bosses that witness you wreck your hand, ask you what happened, you said the glass table got you, and they go 'is that table ok?' is not the type of people you want front and center as the face of blockchain."

He also mentioned plans to disrupt the platform and distribute his loot through an airdrop among various communities.

Community Reaction and Future Steps

The exploit has sent shockwaves through the crypto community. Pump.fun has collaborated with law enforcement and assured users that their funds are safe.

They also warned users about potential scammers sharing malicious links claiming to be reimbursement links. The platform's quick response and commitment to user compensation have restored trust.

"We are committed to ensuring the safety of our users and are cooperating with relevant parties, including law enforcement, to minimize the damage," the team stated.

Pump.fun's incident underscores the importance of robust security measures and transparent communication in the DeFi sector.