$2M Lost from Solana-Based Pump.fun in Flash Loan Attack

by

As a seasoned crypto investor with several years of experience under my belt, I can’t help but feel a pang of disappointment and frustration upon hearing about the recent loss suffered by Pump.fun. The platform, which is built on Solana, reported a significant hit of around $300k+ in SOL and various memecoins due to a flash loan attack.

As a researcher studying the blockchain ecosystem, I came across an unfortunate incident where Pump.fun, a popular platform built on Solana, reported a significant loss of approximately $2 million. This setback was a result of a flash loan attack. Maliciously leveraging the platform’s bonding curve contracts, a clever hacker managed to borrow substantial sums of money without any collateral, as long as they repaid the loans within a single transaction.

1/6It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakageSo let me share evidence of itπŸ‘‡β€” Igor Igamberdiev (@FrankResearcher) May 16, 2024

The significant role in the vulnerability was played by the suspected breach of the secret key linked to the 5PXxuZ service account of fun., which usually manages the transfer of liquidity from the bonding curve to Raydium, a Solana-based decentralized exchange.

During normal operations, the service account 5PXxuZ functions by drawing liquidity from the bonding curve and transferring it into Raydium. However, during the hack, this account behaved unusually. Instead of adding liquidity to Raydium as intended, 5PXxuZ withdrew an excessive amount from the curve and sent the equivalent SOL back to the attackers, repaying their flash loan. In essence, the account made a donation to a malicious address instead.

The team informed the public later on that they had taken control of all trading operations and any coins being transferred to Raydium would be temporarily frozen.

Read More

2024-05-17 03:48