Former Pump.fun Employee Exploits Withdrawal Authority, Causes $1.9M Loss

Solana-based meme coin launchpad Pump.fun announced that a former employee used their “privileged position” to access “withdraw authority” and misappropriated around 12,300 SOL, worth approximately $1.9 million at the time.

To prevent further damage, Pump.fun halted trading and updated the contracts.

Flash Loan Exploit

Addressing the exploit, Pump.fun said in an X post that a former employee misused their access to the withdrawal authority, which they had obtained through their previous position within the company.

Utilizing flash loans on a Solana lending protocol, the individual in question borrowed SOL and bought up coins to push them to 100% on their bonding curves. This allowed them to access the bonding curve liquidity and repay the flash loans.

Trading on the platform was halted a few hours later. Out of $45 million in total liquidity, approximately $1.9 million was affected. The Pump.fun team then redeployed the contracts and resumed trading with a 0% fee for the next seven days.

The meme coin creation platform further noted that the tokens that reached 100% during the exploit are currently in limbo and untradeable until liquidity pools are deployed for them on the Solana lending protocol, Raydium. To compensate users, the team said it will replenish the liquidity pools for the affected coins with an equal or greater amount of SOL within the next 24 hours.

“Please bear with us as we aim to resume the trading of these coins in a safe and structured manner. We have been working with some of the most esteemed security folks in the space to not only minimize the impact of the situation, but to ensure that this will never happen in the future.”

Internal Private Key Leak

Before Pump.fun’s announcement, cryptocurrency market maker Wintermute’s head of research, Igor Igamberdiev, attributed the hack to an internal private key leak and suspected X user “STACCoverflow.”

Shortly thereafter X user “Stacc” admitted to executing the exploit, criticizing their “horrible bosses” at Pump.fun, describing them as unsuitable “face of the blockchain” community.