A Quick Overview of the Causes and Consequences of the Pump.fun Attack Incident
Former employees hold the private keys of "hacked accounts," and poor team management is the primary reason.Source: Charlemagne X account
Written by: Charlemagne
Compiled by: Crypto Veto, AC Capital
A summary of the Pump hack incident. Thanks to @0x_charlemagne for the brilliant analysis of the cause of the incident. Here is the translation along with some personal speculation.
How did the attack happen?
First of all, the attacker @STACCoverflow is not a super hacker but rather a former employee of @pumpdotfun. He has access to the wallet account that has the permissions to create each meme coin Raydium trading pair, which we refer to as the "hacked account." The meme coins created on Pump that have not yet met the Raydium listing standards are referred to as "preparatory accounts."
The attacker borrowed a flash loan from @marginfi to fill all the pools that had been created but were not yet filled to the Raydium listing status. The operation that should have occurred at this point is that the $Sol in the virtual pool "preparatory account" would be transferred to the "hacked account" because it met the Raydium listing standards. However, at this moment, the attacker withdrew the incoming $Sol, preventing these meme coins, which should have been listed on Raydium and locked in the pool, from being listed (because the pool had no money).
So, whose money did the attacker actually hack?
In response, @0x_charlemagne explained:
First, it definitely wasn't @marginfi's. The flash loan money is returned in the same block, and its purpose was only to trigger the operation of transferring money from the preparatory account to the hacked account, so there would be no loss.
Secondly, the meme coins that had already been sent to Raydium should be unaffected because the LP has already been locked (personal speculation).
The unfortunate ones are the users who bought into all the pools in Pump that had not yet been filled before this attack occurred; their $Sol was transferred away by the aforementioned attack. This also explains why the reported losses could be as high as $80M (Note: According to the latest information, the loss amount is approximately $2 million).
Why did the attacker have the private key to this "hacked account"?
First, it is definitely due to mismanagement by the team; there’s no excuse for that, similar to the North Korean patriotic network developer in Blast.
Secondly, we can speculate that filling the pools might have been one of the attacker's previous tasks. Just like when Friendtech V1 launched last year, there were a lot of bots trying to buy your keys. In the initial days, it was likely the official ones, serving to create a market for the keys and generate initial hype.
It can be boldly speculated that at that time, Pump wanted to achieve an initial cold start and let the attacker use the project's own money to fill the pools of the issued coins (most of which were probably their own, like $test $alon) to get them listed on Raydium and create attention. They just didn't expect it would ultimately become the key for an insider.
Lessons Learned
First, copycat projects must pay attention and not just superficially replicate; it means that simply having a product doesn't guarantee that people will come to trade. If you're running a mutual aid project, you need to provide an initial push.
Then, definitely ensure proper permission management and pay attention to security.
