Pump.fun was stolen in the early morning, a brief account of the incident

Original author: Charlemagne, crypto KOL

Original translation: Crypto Wei, AC Capital partner

Pump theft incident lazy package, thanks to @0x_charlemagne for his wonderful analysis of the cause of the accident, translated here and added my personal speculation.

How did the attack work?

First of all, the attacker @STACCoverflow is not a great hacker, but a former employee of @pumpdotfun. He has the wallet account that Pump uses to create each Tugou Raydium trading pair, which we call the "hacked account". And all the Bonding Curve LP pots created on Pump before they meet the Raydium standard are called "preparatory accounts".

The attacker borrowed a flash loan from @marginfi to fill all the pools that had been created but not filled to the state of being listed on Raydium. Originally, the operation that would happen at this time was that the $Sol originally in the virtual pool's "preparatory account" would be transferred to this "hacked account" because it met the standards for listing on Raydium. But at this time, the attacker withdrew the transferred $Sol, making these memecoins that should have been listed on Raydium and locked in the pool unable to be listed on Raydium (because the pool had no money)

So, whose money did the attacker hack?

In response to this, @0x_charlemagne explained:

First of all, it was definitely not @marginfi's. Because the flash loan money is returned in the same block, its purpose is only to trigger the operation of transferring money from the reserve account to the hacked account, so there will be no loss.

Secondly, the local dogs that have been sent to Raydium in the past should not be affected because the LP has been locked (personal speculation)

The unlucky ones should be the users who bought in all the unfilled pools in the entire Pump before this attack, and their $Sol was transferred away by the above attack. This also explains why the loss may be as much as $80M (Note: According to the latest information, the loss amount is about 2 million US dollars).

Why does the attacker have the private key of this "hacked account"?

First of all, it must be the improper management of the team. There is no way to wash it off, just like the patriotic network development general of North Korea in Blast.

Secondly, we can guess that filling the pool may be one of the attacker's previous jobs. Just like when Friendtech V1 was launched last year, there were a large number of robots rushing to buy your key. In the first few days, it was probably the official one, which played the role of market making for the key and guiding the initial heat.

It can be boldly speculated that at that time, in order to do the initial cold start, Pump asked the attacker to use the project's own money to fill the pool of coins issued (most of them are probably issued by themselves, such as $test $alon) and let them go to Raydium and then pull the market to create attention. It's just that I didn't expect that it would become the key of the insider in the end.

Lessons learned

First of all, copycats must pay attention, don't be stupid and just copy the fur, meaning that people will come to trade after the product is made and put it there. You have to provide an initial push for mutual assistance.

Then you must do a good job of permission management and pay attention to security.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群： https://t.me/theblockbeats

Telegram 交流群： https://t.me/BlockBeats_App

Twitter 官方账号： https://twitter.com/BlockBeatsAsia