Ad
Finance

Solana Meme Coin Factory Pump.Fun Compromised by 'Bonding Curve' Exploit

The exploiter may not be making any money from the attack.

Updated May 16, 2024, 6:43 p.m. Published May 16, 2024, 6:28 p.m.
Solana hacker house
Solana hacker house

The Solana blockchain's red-hot meme coin factory Pump.Fun descended into chaos Thursday at the hands of an exploiter who compromised the tech central to its issuance of joke cryptocurrencies.

"We are aware that the bonding curve contracts have been compromised and are investigating the matter," the months-old project's Twitter account announced two hours into the chaos. "We’ve paused trading – you cannot buy and sell any coins at the moment."

Trading has been paused for now, according to Pump.fun, but prior to the announcement, traders were left to speculate on what was happening on the platform.

Details of the attack were still coming together at press time.

According to people who are helping with the early stages of the investigation, an exploiter was using a combination of trading tactics to overwhelm Pump.fun and seemingly corner the market for dozens of meme coins. Oddly, on-chain evidence suggests the attacker was not making much of a profit. The people spoke with CoinDesk on the condition of confidentiality since the inquiries are still preliminary.

Pump.fun is a months-old project for creating and gambling on meme coins on the Solana blockchain. It advertises itself as a "fair launch" platform where investors can buy into joke tokens in their earliest moments. Coins sometimes hit it big for their investors, but most implode before they reach the critical market cap of $69,000 where tokens get released into the wild.

Thursday's exploit hit smart contracts responsible for issuing the meme coins on Pump.Fun curve, people said. The attacker tricked the platform's bonding curve into accepting phantom SOL tokens they had borrowed and quickly repaid in what's known as a "flash loan." This resulted in the bonding curves filling up with nonexistent SOL, making tokens look valuable despite no real buy-side interest.

The attacker has caused losses of $300,000 in SOL tokens, according to on-chain researchers. Rather than run off with the money, they used it to repay the flash loans and airdrop funds to other people, the people said.

Danny Nelson

Danny is CoinDesk's managing editor for Data & Tokens. He formerly ran investigations for the Tufts Daily. At CoinDesk, his beats include (but are not limited to): federal policy, regulation, securities law, exchanges, the Solana ecosystem, smart money doing dumb things, dumb money doing smart things and tungsten cubes. He owns BTC, ETH and SOL tokens, as well as the LinksDAO NFT.

picture of Danny Nelson