Solana Meme Coin Marketplace Pump.fun Issues $1.9 Million Exploit Postmortem, Discloses Former Employee Involvement

Pump.fun Exploit Disclosed, Former Employee Involved

Pump.fun, a Solana-based meme coin marketplace and liquidity deployment tool, has issued a postmortem report on an exploit that affected its operative capabilities on May 16. The protocol explained that the exploit was carried out by a former employee who abused his privileged position at the company to misappropriate 12.3K SOL, worth $1.9 million.

The exploiter took advantage of its access to borrow SOL from a Solana lending protocol, purchase coins until their bonding curve liquidity reached 100%, and repay the loan received. Pump.fun alleges that only $1.9 million out of the $45m in liquidity was affected, due to the quick action that stopped trading swiftly to avoid more damage.

The platform is now live, and users can resume trading. In addition, pump.fun announced that it would not collect any trading fees for the next seven days. The trading of the affected tokens will be restarted soon, as the team vowed to add the liquidity withdrawn during the exploit event.

Staccoverflow, an X user who claimed responsibility for the attack, was confirmed to be part of pump.fun’s dev team at some time. Staccoverflow explained that he had disclosed this vulnerability to the team before, and expressed his dissatisfaction with how employees were treated.

According to a X thread, he aimed to redistribute some of these tokens to holders of other tokens, and estimated damages to be around $80 million for the Solana memecoin ecosystem.

Pump.fun’s team concluded stressing that they were “working with some of the most esteemed security folks in the space to not only minimize the impact of the situation, but to ensure that this will never happen in the future.”

What do you think about pump.fun’s exploit? Tell us in the comments section below.