KEY POINTS
- Earlier social media reports said the total losses were around $80 million
- Pump.fun clarified that $1.9 million was lost and contracts remained safe
- The development team said an ex-employee gained access to the "withdraw authority"
Pump.fun, a memecoin factory on the Solana blockchain, was exploited for nearly $2 million Thursday after a hacker broke into the memecoin deployer's system and carried out flash loan attacks.
Pump.fun paused trading about two hours after news of the exploit first emerged on social media, disallowing the purchase and sales of any coins. The team also said it upgraded contracts to prevent the attacker from siphoning more funds.
Multiple social media users posted on X (formerly Twitter) that the total losses reached $80 million. However, Pump.fun took to the platform late on Thursday, explaining that only $1.9 million was affected in the exploit.
The Pump.fun team also clarified that "pump.fun contracts are safe." As for the reason behind the hacking, the team said pointed to a former employee who allegedly "used their privileged position at the company to misappropriate 12.3K SOL," the native cryptocurrency of the Solana blockchain.
Digging deeper into the security breach, the team said an ex-employee "illegitimately" gained access of the "withdraw authority" and carried out flash loan attacks. Trading has since been resumed and the team said it is now "safe" to create coins and buy and sell them.
However, the team faced scrutiny from other memecoin users after Igor Igamberdiev, the head of research at crypto market maker Wintermute, suggested that the exploit stems from an internal private key leak, which he said may have been @STACCoverflow on X. However, Igamberdiev said the total SOL losses were at around 2,000 tokens worth over $300,000.
User @STACCoverflow posted on X before news of the exploit emerged. "Everybody be cool, this is a robbery...I'm about to change the course of history..." Igamberdiev included the said post in what he said was "evidence" the hack was of internal nature.
Pump.fun has yet to identify the former employee that allegedly exploited the coin factory, but some users said the team should have prevented the breach. One user noted that the former employee should have had his or her access removed after leaving the team.
Another user asked the developers whether they will establish a "multi facet" security system to ensure that no one can breach the system again and whether the team has determined which security areas they should work on. Pump.fun has yet to respond.
The crypto industry has suffered multiple hacking incidents since the start of the year, including a week wherein over $71 million was lost to hackers and scammers. However, internal security issues such as the Pump.fun exploit have been rare.