Pump.fun 加密平台被利用导致巨额财务损失

5 月 16 日，Solana 上的 Pump.fun meme 币平台被利用，导致价值约 200 万美元的 SOL 损失。攻击者名为 Jarrett 或 STACCOverflow，利用闪电贷操纵平台的联合曲线，在没有自有资金的情况下获取 SOL，从而阻止代币在 Raydium DEX 上上市。

Exploitation of Pump.fun Cryptocurrency Platform Results in Significant Financial Losses

Pump.fun 加密货币平台被利用导致重大财务损失

On May 16, 2023, at 15:21 UTC, pump.fun, a meme coin creation platform operating within the Solana (SOL) ecosystem, fell victim to a malicious exploitation. The incident resulted in the theft of approximately 12,300 SOL, valued at nearly $2 million at the time of the attack.

世界标准时间 2023 年 5 月 16 日 15:21，在 Solana (SOL) 生态系统中运行的模因币创建平台 Pump.fun 成为恶意利用的受害者。该事件导致约 12,300 SOL 被盗，攻击发生时价值近 200 万美元。

Exploitation Details

漏洞利用详情

The attacker exploited a vulnerability in the platform by utilizing flash loans from Margin.fi. This technique allowed the attacker to obtain SOL without using any of their own funds and subsequently use these funds to purchase pump.fun tokens. The attacker's actions manipulated the platform's bonding curve, pushing it to its limit, and effectively preventing the listing of new tokens on Raydium DEX, a prominent decentralized exchange in the Solana ecosystem.

攻击者利用 Margin.fi 的闪贷来利用平台中的漏洞。这种技术允许攻击者在不使用任何自有资金的情况下获得 SOL，并随后使用这些资金购买 Pump.fun 代币。攻击者的行为操纵了平台的联合曲线，将其推向极限，并有效阻止了新代币在 Raydium DEX（Solana 生态系统中著名的去中心化交易所）上上市。

Response and Mitigation

应对和缓解措施

In response to the attack, the pump.fun team swiftly upgraded its contracts to prevent further exploitation. They also suspended trading on the platform and reassured users that the total value locked (TVL) within the protocol remained secure. The team expressed their commitment to safeguarding their users and cooperating with relevant authorities, including law enforcement, to mitigate the damage caused by the attack.

为了应对此次攻击，pump.fun 团队迅速升级了合约，以防止进一步的利用。他们还暂停了平台上的交易，并向用户保证协议内锁定的总价值（TVL）仍然安全。该团队表示致力于保护用户并与包括执法部门在内的相关当局合作，以减轻攻击造成的损失。

Alleged Attacker Identity

涉嫌攻击者身份

Intriguingly, the attacker in this incident has been identified as a former employee of pump.fun, Jarrett, also known by the pseudonym STACCOverflow. Following the attack, Jarrett took to social media to criticize the company, expressing his dissatisfaction and intent to disrupt its operations. In a series of posts, he alleged mistreatment and expressed a desire to "change the course of history." Jarrett has stated that he has no concerns about potential legal repercussions.

有趣的是，这起事件中的攻击者已被确定为 Pump.fun 的前员工 Jarrett，化名 STACCOverflow。袭击发生后，贾勒特在社交媒体上批评该公司，表达了他的不满并打算扰乱其运营。在一系列帖子中，他声称受到虐待，并表达了“改变历史进程”的愿望。贾勒特表示，他不担心潜在的法律后果。

Distribution of Exploited Funds

动用资金分配情况

Jarrett has also announced his intention to distribute the stolen funds through an airdrop to various online communities, a move that has drawn comparisons to the legendary figure of Robin Hood in the crypto community.

贾勒特还宣布，他打算通过空投的方式将被盗资金分发到各个在线社区，此举与加密货币社区中的传奇人物罗宾汉相提并论。

Post-Mortem and Recovery Plan

尸检和恢复计划

Approximately five hours after the initial incident, pump.fun published a post-mortem report. The report detailed the redeployment of contracts and the resumption of trading with a 0% fee for the subsequent seven days. The team also pledged to seed liquidity pools (LPs) for the affected tokens to restore trading functionality.

最初事件发生后大约五个小时，pump.fun 发布了一份尸检报告。该报告详细介绍了合约的重新部署以及随后 7 天以 0% 费用恢复交易的情况。该团队还承诺为受影响的代币提供种子流动性池（LP），以恢复交易功能。

The pump.fun team acknowledged that tokens that reached 100% value between 15:21 and 17:00 UTC were in a state of limbo, unable to be traded until liquidity pools could be deployed. They promised to provide equal or greater SOL liquidity to the affected tokens within 24 hours and expressed confidence in the resilience of the platform.

Pump.fun 团队承认，在世界标准时间 15:21 至 17:00 之间达到 100% 价值的代币处于不稳定状态，在部署流动性池之前无法进行交易。他们承诺在 24 小时内向受影响的代币提供同等或更高的 SOL 流动性，并对平台的弹性表示信心。

Call for Vigilance

呼吁保持警惕

While pump.fun has claimed to have recovered from the attack, the crypto community is urged to remain vigilant. Scammers may attempt to exploit the incident by impersonating the pump.fun team and distributing malicious links under the guise of reimbursement claims. It is essential to exercise caution and only trust official communications from reputable sources.

尽管 Pump.fun 声称已从攻击中恢复，但仍敦促加密社区保持警惕。诈骗者可能会试图通过冒充 Pump.fun 团队并以报销索赔为幌子传播恶意链接来利用该事件。必须谨慎行事，只信任来自信誉良好来源的官方通讯。