Pond.fun, a meme coin launchpad hosted on Linea, has suffered a major security breach following an insider attack by its chief software engineer. The platform confirmed the hack in an official statement on X, warning users to avoid interacting with the site and its affiliated platforms, efrogs and croak. However, it assured that its Discord and Telegram channels remain secure.
Details of the Hack
According to the platform’s disclosure, the attacker exploited liquidity from Pond.fun’s smart contract and transferred the stolen funds to Railgun, a privacy protocol that obscures transaction trails on the blockchain. The total amount siphoned was 64.8 Ethereum (ETH). Pond.fun also released a list of mainnet addresses involved in receiving and depositing the stolen assets.
Efforts to Block Fund Withdrawals
In response to the exploit, Pond.fun has enlisted blockchain analytics firms Chainalysis and Elliptic to track the stolen funds and prevent withdrawals. Since centralized exchanges and certain offramps require proof of innocence (POI) for transactions processed through Railgun, the attacker could face difficulties in accessing the stolen assets without clearing compliance checks.
Similarities to the Infini Hack
This incident bears similarities to the recent stablecoin bank Infini hack, which was also perpetrated by an insider. In that case, a developer who had retained admin rights over the smart contract drained nearly $50 million in assets via Tornado Cash. The Infini hack was among the largest losses recorded in February, according to blockchain security firm Certik.
Ongoing Investigation
Pond.fun continues to investigate the breach while working with security experts to mitigate further risks. The hack highlights ongoing vulnerabilities in DeFi platforms, particularly those related to insider threats. Users are advised to remain cautious and follow official updates from Pond.fun regarding security measures and recovery efforts.
