Pond.fun, the meme coin launchpad hosted on Linea, has been hacked by the project’s chief software engineer.
According to Pond.fun’s official disclosure on X, Pond.fun has been hacked this morning, with the initial on-chain and off-chain evidence pointing to a software engineer on Pond.fun’s team. The platform told users to avoid interacting with pond.fun in any capacity, including the efrogs and croak websites, but assured that Discord and Telegrams are still secure.
The attacker stole liquidity from Pond.fun’s smart contract and transferred the tokens to the privacy protocol Railgun, a privacy protocol that allows users to shield their transactions on the blockchain. The platform published a list of mainnet addresses that received and deposited the stolen assets. The total amount transferred was 64.8 Ethereum (ETH).
Pond.fun has tapped Chainalysis and Elliptic, blockchain analytics firms that track illicit crypto transactions, to help prevent the stolen funds from passing proof of innocence—since some centralized exchanges and other “serious” offramps require users to provide POI under Railgun. Failure to pas POI checks will ensure that the hacker cannot withdraw the funds from Railgun.
The situation echoes the recent hack of stablecoin bank Infini because it was also done by an insider. Specifically, the developer who helped set up the smart contract retained admin rights and then used these rights to drain the funds through Tornado Cash (TORN). Infini is still working to recover the stolen assets. The hack drained almost $50 million from Infini’s wallet and was identified as the second biggest loss in Feb. by Certik.
