In a shocking revelation, Solana memecoin creation tool pump.fun has accused a former employee of orchestrating a $1.9 million exploit through a sophisticated “bonding curve” attack. The company alleged in a May 16 post on X (formerly Twitter) that the ex-employee leveraged their “privileged position” to access a “withdraw authority” and manipulate the platform's internal systems.

The exploit reportedly resulted in the theft of $1.9 million from pump.fun’s bonding curve contracts, which held a total of $45 million. Despite the attack, pump.fun assured users that its smart contracts remain secure and that affected users will receive full restitution of their funds within the next 24 hours. Trading on the platform, which had been temporarily halted, has since resumed.

Before pump.fun’s public disclosure, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested that the hack was caused by an internal private key leak. He pointed to X user “STACCoverflow” as a possible suspect. In a series of cryptic posts, STACCoverflow hinted at their involvement, claiming they were “about to change the course of history” and showed a lack of concern for the consequences, stating, “I am already fully doxxed.”

The attacker allegedly utilized flash loans from the Solana lending protocol Raydium to borrow Solana (SOL) and purchase as many coins as possible. By maxing out the bonding curves, the exploiter accessed the liquidity, repaid the flash loans, and stole approximately 12,300 SOL, worth $1.9 million. The attack occurred between 3:21 pm and 5:00 pm UTC on May 16.

Pump.fun emphasized its cooperation with law enforcement in investigating the incident. While the identity of the former employee has not been disclosed, the platform is committed to ensuring that affected users recover their funds.

This incident highlights the risks inherent in the rapidly evolving world of cryptocurrency, where even insiders can pose significant threats to security.