The Solana-based memecoin launchpad Pump.fun fell victim to an insider exploit on May 16, 2024, when a former employee leveraged privileged access to drain approximately $1.9 million from the platform’s bonding curve contracts. The incident, which sent ripples through the Solana ecosystem, highlights the persistent threat of insider attacks in decentralized finance platforms even when smart contracts themselves remain secure.
The Exploit Mechanics
The attacker exploited a critical access control vulnerability rather than a smart contract flaw. As a former employee, the individual retained access to a “withdraw authority” — a privileged administrative function within Pump.fun’s bonding curve system. This access allowed them to manipulate liquidity pools without triggering standard security alerts.
The attacker utilized flash loans from Raydium, a Solana-based lending protocol, to borrow large amounts of SOL. They then used these borrowed funds to purchase memecoins on Pump.fun, driving them to 100% completion on their bonding curves. Once the coins reached full bonding curve completion, the attacker could access the bonding curve liquidity and repay the flash loans, pocketing the difference. Approximately 12,300 SOL, worth around $1.9 million at the time, was siphoned between 3:21 PM and 5:00 PM UTC on May 16.
Bitcoin was trading at approximately $67,000 at the time of the attack, with Solana priced near $170, reflecting the broader bullish sentiment that characterized the crypto market in mid-May 2024.
Affected Systems
Pump.fun’s bonding curve contracts held approximately $45 million in total liquidity before the attack. The $1.9 million stolen represented roughly 4.2% of total funds locked. While the percentage may seem modest, the attack’s impact extended beyond direct financial losses. The platform was forced to temporarily halt trading, disrupting the memecoin launch ecosystem that had become a significant driver of Solana network activity.
Users who interacted with Pump.fun during the attack window — between 3:21 PM and 5:00 PM UTC — were directly affected. Pump.fun pledged to reimburse impacted users with “100% or more of the liquidity” they held prior to the attack, restoring confidence in the platform’s commitment to its community.
The Mitigation Strategy
Pump.fun responded swiftly to the incident. The platform publicly identified the exploit as an insider attack in a detailed post-mortem published on May 16. Trading was temporarily paused while the team assessed the damage and implemented additional security measures. By May 17, the platform had resumed operations, assuring users that its smart contracts remained safe and uncompromised.
The platform collaborated with law enforcement agencies to investigate the incident and pursue the former employee. Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, publicly linked the exploit to an X user known as “STACCoverflow,” who posted cryptic messages about “changing the course of history” before the attack was publicly disclosed.
Lessons Learned
The Pump.fun exploit underscores a fundamental truth in crypto security: the strongest smart contract code is rendered useless if administrative access controls are weak. Key lessons include the critical importance of revoking access credentials immediately upon employee departure, implementing multi-signature requirements for privileged operations, and establishing real-time monitoring for unusual administrative actions. The attack also demonstrates that flash loan attack vectors continue to evolve, combining external borrowing with insider access to create sophisticated multi-layered exploits.
User Action Required
For users of Pump.fun and similar launchpad platforms, this incident serves as a reminder to verify that platforms have robust key management practices. Users should monitor official communications during incidents and understand that “smart contract security” alone does not guarantee platform safety. Administrative key management, access revocation protocols, and operational security practices are equally critical components of a trustworthy platform. If you interacted with Pump.fun during the attack window, check the platform’s official channels for reimbursement instructions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any cryptocurrency platform.
a former employee still had withdraw authority? thats not a hack, thats negligence. revoke access when people leave, its access control 101
right? this is like leaving the keys in the ignition and being shocked someone drove off with the car. basic opsec failure
Flash loans from Raydium to pump bonding curves to 100% completion. The attacker basically used the platform own mechanics against it. Clever but preventable with proper offboarding procedures.
$1.9m drained from memecoin liquidity pools and people still wonder why institutional money stays away from Solana ecosystem projects