Pond.fun Falls Prey to Insider Attack
Pond.fun, a meme coin launchpad on Linea, has been compromised in a security exploit allegedly carried out by its head software engineer. The platform publicized the compromise in an official announcement on X, advising users not to interact with its websites, efrogs and croak. Pond.fun, nevertheless, assured the community that its Discord and Telegram channels are secure.
64.8 ETH Stolen via Smart Contract Exploit
The attacker drained Pond.fun’s smart contract liquidity and transferred the stolen assets to Railgun, a privacy protocol that enables users to hide transactions. The value of the stolen assets was 64.8 Ethereum (ETH). The platform later published a list of mainnet addresses that received and deposited the funds.
Chainalysis and Elliptic Mobilized to Block Withdrawals
In response to the breach, Pond.fun enlisted blockchain analytics firms Chainalysis and Elliptic to track the stolen funds. These firms aim to prevent the hacker from bypassing proof-of-innocence (POI) checks, a requirement for withdrawal on centralized exchanges and serious off-ramps when using Railgun. If the hacker fails to pass POI verification, they will be unable to cash out the stolen ETH.
Echoes of Infini’s $50M Insider Hack
This vulnerability resembles the recent hack of Infini stablecoin bank, where an insider utilized retained admin rights to empty nearly $50 million via Tornado Cash. This was the second-biggest crypto hack in February, according to Certik. Infini is still attempting to regain the funds.
