Pump.fun, the popular tool for launching meme coins on Solana, suffered an exploit on Thursday that left the protocol compromised, and prompted its leadership to temporarily shut the site down. All the while, the apparent attacker behind the stunt gloated about it online.
The attack appeared to target accounts, called bonding curve contracts, that move the liquidity of tokens of a sufficient size created on Pump.fun, onto the Solana decentralized exchange (DEX) Raydium.
Some on-chain sleuths deduced that with the aid of a private key—one only an employee of Pump.fun would have access to—the attacker diverted funds earmarked for Raydium to unrelated wallet addresses.
Igor Igamberdiev, head of research at crypto market maker Wintermute, estimated that the attacker siloed off at least $2 million worth of SOL using this exploit.
In a twist, however, the attacker immediately began airdropping the stolen funds to random wallet addresses. He appears to have selected holders of a handful of Solana tokens and NFTs as the non-consenting recipients of the Pump.fun loot.
Within minutes of the attack, a Twitter account belonging to a former Pump.fun employee claimed responsibility for it. The user began posting extensively and somewhat erratically, writing that he was not afraid of imprisonment and was aware his identity was doxxed.
“Everybody be cool, this is robbery,” the account wrote. “I'm about to change the course of history. [And] then rot in jail. Am I sane? Nah. Am I well? [Very] much not. Do I want for anything? My mom raised from the dead.”
The account then began retweeting posts from thankful crypto users claiming to have received portions of the stolen funds from the attacker’s airdrops.
Decrypt reached out to the self-proclaimed attacker for more information about the exploit and his potential motivations for committing it.
“The threads are there, dig deeper,” was his only response.
A few hours after the attack, Pump.fun announced that it had paused trading on the protocol, and was investigating the issue. The company said it intended to cooperate with law enforcement; the self-proclaimed attacker is Canadian.
On a Twitter Spaces on Thursday afternoon, the self-proclaimed Pump.fun attacker said he had worked for Pump.fun for a few weeks, that he felt the company was “horribly managed,” and that he had “personal grievances” against the company’s leadership.
Asked why he committed the theft, he was extraordinarily blunt.
“I just kind of wanted to kill Pump.fun because it’s something to do,” he said. “It’s inadvertently hurt people for a long time.”
Decrypt reached out to Pump.fun to verify whether the self-proclaimed attacker did in fact previously work for the company, but did not immediately receive a response.
While Pump.fun has seen huge amounts of trading volume in the last few months as meme coin frenzy has overtaken crypto, it has also attracted criticism for fanning the flames of crypto’s more gambling-focused, purely speculative underbelly.
The self-proclaimed Pump.fun attacker said on Thursday—without providing any supporting details—that he observed the company to be on a downward path that he helped accelerate.
“They were going to kill themselves eventually, the way things were going,” he said.
One Spaces attendee asked the man whether he expected he would be sent to prison for his actions.
“I’m pretty sure there’s a fairly high chance of that,” he replied.
Edited by Andrew Hayward
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.