Pump.fun 加密平台被利用導致巨額財務損失

5 月 16 日，Solana 上的 Pump.fun meme 幣平台被利用，導致價值約 200 萬美元的 SOL 損失。攻擊者名為 Jarrett 或 STACCOverflow，利用閃電貸操縱平台的聯合曲線，在沒有自有資金的情況下獲取 SOL，從而阻止代幣在 Raydium DEX 上上市。

Exploitation of Pump.fun Cryptocurrency Platform Results in Significant Financial Losses

Pump.fun 加密貨幣平台被利用導致重大財務損失

On May 16, 2023, at 15:21 UTC, pump.fun, a meme coin creation platform operating within the Solana (SOL) ecosystem, fell victim to a malicious exploitation. The incident resulted in the theft of approximately 12,300 SOL, valued at nearly $2 million at the time of the attack.

世界標準時間 2023 年 5 月 16 日 15:21，在 Solana (SOL) 生態系統中運行的模因幣創建平台 Pump.fun 成為惡意利用的受害者。該事件導致約 12,300 SOL 被盜，攻擊發生時價值近 200 萬美元。

Exploitation Details

漏洞利用詳情

The attacker exploited a vulnerability in the platform by utilizing flash loans from Margin.fi. This technique allowed the attacker to obtain SOL without using any of their own funds and subsequently use these funds to purchase pump.fun tokens. The attacker's actions manipulated the platform's bonding curve, pushing it to its limit, and effectively preventing the listing of new tokens on Raydium DEX, a prominent decentralized exchange in the Solana ecosystem.

攻擊者利用 Margin.fi 的閃貸來利用平台中的漏洞。這種技術允許攻擊者在不使用任何自有資金的情況下獲得 SOL，並隨後使用這些資金購買 Pump.fun 代幣。攻擊者的行為操縱了平台的聯合曲線，將其推向極限，並有效阻止了新代幣在 Raydium DEX（Solana 生態系統中著名的去中心化交易所）上上市。

Response and Mitigation

應對和緩解措施

In response to the attack, the pump.fun team swiftly upgraded its contracts to prevent further exploitation. They also suspended trading on the platform and reassured users that the total value locked (TVL) within the protocol remained secure. The team expressed their commitment to safeguarding their users and cooperating with relevant authorities, including law enforcement, to mitigate the damage caused by the attack.

為了應對此次攻擊，pump.fun 團隊迅速升級了合約，以防止進一步的利用。他們還暫停了平台上的交易，並向用戶保證協議內鎖定的總價值（TVL）仍然安全。該團隊表示致力於保護用戶並與包括執法部門在內的相關當局合作，以減輕攻擊造成的損失。

Alleged Attacker Identity

涉嫌攻擊者身份

Intriguingly, the attacker in this incident has been identified as a former employee of pump.fun, Jarrett, also known by the pseudonym STACCOverflow. Following the attack, Jarrett took to social media to criticize the company, expressing his dissatisfaction and intent to disrupt its operations. In a series of posts, he alleged mistreatment and expressed a desire to "change the course of history." Jarrett has stated that he has no concerns about potential legal repercussions.

有趣的是，這起事件中的攻擊者已被確定為 Pump.fun 的前員工 Jarrett，化名 STACCOverflow。襲擊發生後，賈勒特在社交媒體上批評該公司，表達了他的不滿並打算擾亂其營運。在一系列貼文中，他聲稱受到虐待，並表達了「改變歷史進程」的願望。賈勒特表示，他不擔心潛在的法律後果。

Distribution of Exploited Funds

動用資金分配狀況

Jarrett has also announced his intention to distribute the stolen funds through an airdrop to various online communities, a move that has drawn comparisons to the legendary figure of Robin Hood in the crypto community.

賈勒特還宣布，他打算透過空投的方式將被盜資金分發到各個線上社區，此舉與加密貨幣社區中的傳奇人物羅賓漢相提並論。

Post-Mortem and Recovery Plan

屍檢和恢復計劃

Approximately five hours after the initial incident, pump.fun published a post-mortem report. The report detailed the redeployment of contracts and the resumption of trading with a 0% fee for the subsequent seven days. The team also pledged to seed liquidity pools (LPs) for the affected tokens to restore trading functionality.

在最初事件發生後大約五個小時，pump.fun 發布了一份屍檢報告。該報告詳細介紹了合約的重新部署以及隨後 7 天以 0% 費用恢復交易的情況。該團隊還承諾為受影響的代幣提供種子流動性池（LP），以恢復交易功能。

The pump.fun team acknowledged that tokens that reached 100% value between 15:21 and 17:00 UTC were in a state of limbo, unable to be traded until liquidity pools could be deployed. They promised to provide equal or greater SOL liquidity to the affected tokens within 24 hours and expressed confidence in the resilience of the platform.

Pump.fun 團隊承認，在世界標準時間 15:21 至 17:00 之間達到 100% 價值的代幣處於不穩定狀態，在部署流動性池之前無法進行交易。他們承諾在 24 小時內向受影響的代幣提供同等或更高的 SOL 流動性，並對平台的彈性表示信心。

Call for Vigilance

呼籲保持警惕

While pump.fun has claimed to have recovered from the attack, the crypto community is urged to remain vigilant. Scammers may attempt to exploit the incident by impersonating the pump.fun team and distributing malicious links under the guise of reimbursement claims. It is essential to exercise caution and only trust official communications from reputable sources.

儘管 Pump.fun 聲稱已從攻擊中恢復，但仍敦促加密社群保持警惕。詐騙者可能會試圖透過冒充 Pump.fun 團隊並以報銷索賠為幌子傳播惡意連結來利用該事件。必須謹慎行事，只信任來自信譽良好來源的官方通訊。