Pump.Fun Insider Flash Loan Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Pump.Fun Logo/Homepage

[1][2][3][4][5][6]

About Pump.Fun

"pump.fun is a Solana-based memecoin generator."

"Pump prevents rugs by making sure that all created tokens are safe. Each coin on pump is a fair-launch with no presale and no team allocation. step 1: pick a coin that you like step 2: buy the coin on the bonding curve step 3: sell at any time to lock in your profits or losses step 4: when enough people buy on the bonding curve it reaches a market cap of $69k step 5: $12k of liquidity is then deposited in raydium and burned"

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"On May 16th, the project suffered a $1.9 million exploit by an attacker who then began airdropping the money to somewhat random wallets. pump.fun stated on Twitter that the attack was due to a former employee exploiting their privileges within the company to illegally obtain withdrawal permissions and using a lending protocol to carry out flash loan attacks."

Key Event Timeline - Pump.Fun Insider Flash Loan Exploit
Date Event Description
May 14th, 2024 6:38:31 PM MDT First Exploit Transaction The first transaction in the exploit which creates a new token trading pair.
May 16th, 2024 4:31:00 PM MDT Pump.Fun Clarity Post Pump.Fun posts to announce details of the exploit. They report that an insider used their priveledged position and a flash loan exploit to perform withdrawals of protocol liquidity.
May 17th, 2024 2:08:48 AM MDT Medium Technical Analysis A technical analysis on Medium by a third party reports on details of the exploit and suggests that a private key compromise is more likely than an insider compromise, however no rationale is given.

Technical Details

"Flash Loan Acquisition: The attacker initiated a 129 SOL flash loan, a temporary borrowing mechanism with the requirement of repayment within the same transaction."

"he attacker used the borrowed SOL to purchase tokens, potentially creating an opportunity for 5PXxuZ to withdraw liquidity from the curve."

"Crucially, 5PXxuZ itself initiated the withdrawal of all liquidity from the bonding curve, a clear departure from its standard behavior."

"The attacker then returned enough SOL to the platform to repay the flash loan. However, instead of creating a Raydium pool as expected, 5PXxuZ transferred the remaining SOL to a random account."

"5PXxuZ withdrawing liquidity and failing to create a Raydium pool directly contradicts its programmed behavior."

"Interestingly, 5PXxuZ acted as a cosigner for all the attacker's transactions. This implies the attacker had the ability to initiate actions using the compromised private key."

"While the possibility of an inside job cannot be entirely ruled out, the evidence heavily favors a scenario where the private key for 5PXxuZ was compromised, allowing the attacker to manipulate the platform for their gain."

"1. the http://pump.fun contracts are safe. they have always been safe 2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)"

jWbhFY2pQ6r3FxRSFHgx7cGsp58J8B1Zb7ABf7xvgUjWyL5eCZKYSpvtnoKksW7p4m8p8NASD25sXhQ81hYdHHM

Total Amount Lost

2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)"

The total amount lost has been estimated at $1,900,000 USD.

Immediate Reactions

"1. the http://pump.fun contracts are safe. they have always been safe 2. a former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)"

"3. http://pump.fun is back live. you can launch new coins and trade any coin that did not reach 100% between 15:21-17:00 UTC 4. to make users whole, any coin that reached 100% between 15:21-17:00 UTC will go live on raydium with >= 100% of the liquidity that it previously had within the next 24 hours 5. trading fees are now 0% for the next 7 days"

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Jun 6, 2024)
  2. Pump (Jun 7, 2024)
  3. Pump (Jun 7, 2024)
  4. PUMP.FUN Hack explained: Build your own Safer Pump.fun Clone | by Akash Kumar Jha | May, 2024 | Medium (Jun 7, 2024)
  5. @pumpdotfun Twitter (Jun 7, 2024)
  6. https://explorer.solana.com/tx/jWbhFY2pQ6r3FxRSFHgx7cGsp58J8B1Zb7ABf7xvgUjWyL5eCZKYSpvtnoKksW7p4m8p8NASD25sXhQ81hYdHHM (Jun 7, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Pump.Fun_Insider_Flash_Loan_Exploit&oldid=6015"