Pump.fun was hacked for 1.9 million dollars, is the Solana meme season over?
Author: 0xFacai, BlockBeats
On May 17, according to community feedback, pump.fun was suspected to have been attacked, with the attacker exploiting a vulnerability to participate infinitely in the meme coins released by the platform. As of the time of writing, the Phantom wallet has temporarily blocked the pump.fun project’s official website. Subsequently, Pump.fun stated in a post on X that the team realized the contract had been leaked and is currently under investigation.
On May 17, pump.fun released the latest event update, stating that its contract is secure and that the attack incident involved a former employee who misappropriated approximately 12,300 SOL (about 1.9 million USD) by taking advantage of their privileged position in the company. Currently, the pump.fun team has redeployed the contract, and trading will resume within the next 7 days. To compensate users, the pump.fun team will inject liquidity greater than or equal to the affected tokens' SOL liquidity for each affected token within the next 24 hours after 15:21 UTC.
Could it be an insider job, just because of "being discovered in a relationship"?
Wintermute's research director, Lgor Lamberdiev, posted that the attack on pump.fun was likely due to a private key leak, resulting in the theft of 2,000 SOL and a large amount of MEME coins.
Lamberdiev explained that 5PXxuZ is Pump's service account, primarily used to transfer liquidity from the pump.fun joint curve to Raydium. The usual process requires someone to make the final transaction and add sufficient liquidity to deploy the Raydium pool, after which 5PXxuZ withdraws all liquidity from the curve and adds it to Raydium.
Normal liquidity transfer process for pump.fun, image source from Lamberdiev
However, in this attack, the process changed to the trader opening a flash loan of 129 SOL to purchase meme tokens, allowing 5PXxuZ to extract liquidity from the joint curve, and then repaying the flash loan, while a liquidity pool could not be created on Raydium.
Transaction process after the attack on pump.fun, image source from Lamberdiev
Interestingly, 5PXxuZ is a co-signer for all attack transactions, leading Lamberdiev to believe that while there is a possibility of insider involvement, it at least indicates that the team's private key has been leaked.
5PXxuZ is a co-signer for the attack transactions, image source from Lamberdiev
The behind-the-scenes attacker also seems to be quite high-profile, as X user @STACCoverflow tweeted that they are "about to change the course of history." Additionally, they hinted in the tweet that they do not intend to keep the stolen funds but plan to transfer the remaining balance of the joint curve to some token users.
Another X user, @gucciprayers, stated that the incident occurred because two developers of pump.fun fell in love, and after being discovered by the founder, one of them "threatened to expose their secret through memes," leading the other to panic and hack the platform to prevent the meme from being deployed. Of course, the authenticity of this claim has yet to be verified.
Pump.fun has already made a fortune
As a platform dedicated to meme trading, Pump.fun was initially launched for Solana. On this platform, people can deploy tokens at a cost of less than 2 USD. Currently, Pump.fun may already be the largest Memecoin platform in the Solana ecosystem and has added support for Ethereum L2 Blast.
Due to the extremely low cost of launching memes, a large number of new trading pairs are listed on decentralized exchanges every day, making it a fast-paced field. However, because of this, the average lifespan of most meme projects often lasts only 24 hours or even shorter, mainly because bad actors attempt to exploit this frenzy by orchestrating scams and marketing to deceive ambitious and unsuspecting investors.
According to Dune data, the total revenue of the pump.fun protocol has reached 147,661 SOL, approximately 21.58 million USD. As a project launched in January this year, pump.fun's cash flow revenue is undoubtedly high.
Image source from https://dune.com/hashed_official/pumpdotfun
Is the Solana meme season over?
After the theft from pump.fun, there has been much discussion in the community about this meme issuance product, with many users stating that they "rarely make money on the platform." X user @YeruiZhang expressed that the emergence of pump.fun marks "the end of the Sol meme season, akin to what Blur is to ETH NFTs," a viewpoint that has sparked heated discussions in the community.
@YeruiZhang believes that pump.fun has lowered the trading range of memes on Solana from millions or even tens of millions of dollars to the hundred-thousand-dollar level. Although there are a few success stories, the emergence of pump.fun has made the starting point for meme coin speculation lower, increasing the difficulty of early control. Additionally, the appearance of many similarly named meme coins can lead users to mistakenly buy the wrong meme, further consuming their sentiment towards "taking over."
On the other hand, @tradergirlsuki does not believe this signifies the end of meme coins, stating that new, high-quality token issuance mechanisms and other categories of on-chain assets will emerge.
@tradergirlsuki argues that early control is crucial for the launch of memes; without holding the chips, it is challenging to initiate a launch. Since pump.fun makes it difficult for retail investors to make money, the market will naturally seek new avenues, as "chasing low-quality tokens and seeking alpha is an eternal proposition."
Currently, the pump.fun team has redeployed the contract, and trading will resume within the next 7 days. To compensate users, the pump.fun team will inject liquidity greater than or equal to the affected tokens' SOL liquidity for each affected token within the next 24 hours after 15:21 UTC. Will the meme season in Solana come to an end? Will there be new "pump.fun" alternatives in the ecosystem? This is something we will continue to monitor.