Hacked the crypto coin launching platform

in #hacked7 months ago

1000122555.jpg
The crypto coin launching platform @pumpdotfun was exploited for ~🤑$1.9M when a 😈former employee misused their security privileges (private key compromise) and stole away ~12.3K SOL.

The Hack Flow
To misappropriate funds, the rogue employee used flash loans on a Solana lending protocol to borrow SOL, then bought various coins to inflate their bonding curves to 100%.

After reaching the 100% mark, the exploiter took access to the bonding curve liquidity and repaid flash loans taken earlier.

The Attacker

An account on X, with the handle
@STACCoverflow
claimed responsibility for the attack immediately after the exploit.

He posted that he had intended to redistribute the “remaining balances of bonding curves” to certain token users rather than keeping the stolen funds.

The account allegedly belongs to a doxxed developer who was previously employed at http://Pump.fun.

The attacker has already conducted random airdrops of $SOL, and multiple addresses have received the windfall of $SOL.

The Hack Aftermath

To contain the hack and prevent further fund loss, trading was halted on http://pump.fun at 17:00 UTC, and
@pumpdotfun
upgraded the contracts so that the attacker could not continue with the exploit.

Post-hack analysis revealed that a total of $45m of liquidity in the bonding curve contracts was at risk, but the exploiter could get hold of only ~$1.9m.

The http://pump.fun team has now successfully redeployed the contracts, and trading has also been unpaused.

The Mitigation

To tackle the FUD surrounding the platform http://pump.fun has decided to offer 0% trading fees for the next 7 days.

The coins that were exploited (and reached the 100% mark on bonding curves) between 15:21 and 17:00 UTC (the duration of the exploit) are currently untradable until LPs are deployed for them on Raydium.

The http://pump.fun team stated that the LPs all such affected coins will be seeded with an equal or greater amount of SOL liquidity that the coin had at 15:21 UTC within the next 24 hours.

Team http://pump.fun is committed to avoid a repeat of such security incidents, and therefore, it is collaborating with blockchain security firms to put a security mechanism in place, which would minimize the risks of similar exploits in future.

Coin Marketplace

STEEM 0.22
TRX 0.26
JST 0.039
BTC 94003.99
ETH 3310.95
USDT 1.00
SBD 3.12