The Solana blockchain's red-hot meme coin factory Pump.Fun descended into chaos Thursday at the hands of an exploiter who compromised the tech central to its issuance of joke cryptocurrencies.
"We are aware that the bonding curve contracts have been compromised and are investigating the matter," the months-old project's Twitter account announced two hours into the chaos. "We’ve paused trading – you cannot buy and sell any coins at the moment."
Trading has been paused for now, according to Pump.fun, but prior to the announcement, traders were left to speculate on what was happening on the platform.
We are aware that the https://t.co/uE2QNKXkIT bonding curve contracts have been compromised and are investigating the matter.
— pump.fun (@pumpdotfun) May 16, 2024
We have upgraded the contracts so the attacker cannot siphon any more funds. The TVL in the protocol right now is safe.
We’ve paused trading — you…
Details of the attack were still coming together at press time.
According to people who are helping with the early stages of the investigation, an exploiter was using a combination of trading tactics to overwhelm Pump.fun and seemingly corner the market for dozens of meme coins. Oddly, on-chain evidence suggests the attacker was not making much of a profit. The people spoke with CoinDesk on the condition of confidentiality since the inquiries are still preliminary.
Pump.fun is a months-old project for creating and gambling on meme coins on the Solana blockchain. It advertises itself as a "fair launch" platform where investors can buy into joke tokens in their earliest moments. Coins sometimes hit it big for their investors, but most implode before they reach the critical market cap of $69,000 where tokens get released into the wild.
Thursday's exploit hit smart contracts responsible for issuing the meme coins on Pump.Fun curve, people said. The attacker tricked the platform's bonding curve into accepting phantom SOL tokens they had borrowed and quickly repaid in what's known as a "flash loan." This resulted in the bonding curves filling up with nonexistent SOL, making tokens look valuable despite no real buy-side interest.
The attacker has caused losses of $300,000 in SOL tokens, according to on-chain researchers. Rather than run off with the money, they used it to repay the flash loans and airdrop funds to other people, the people said.