# RugTrace Investigation Report

![Case-level investigation graph](/case-reports/pumpfun-insider-flashloan-swarm-2024-05/graph.svg)

## 1. Executive Summary

This report examines a case-level fund-flow graph associated with the **pump.fun insider flash-loan bonding-curve exploit** reported in May 2024. Public post-mortem reporting attributed approximately **$1.9M / 12,300 SOL** in losses to the incident, with some independent analyses citing roughly 2,000 SOL directly drained.

The graph depicts a **"Merged attack source"** node (risk score 0.92) distributing funds to **11 distinct destination wallets** in equal amounts of 54,286 units each. The flow pattern is consistent with a **split-and-scatter exit strategy**, where stolen funds are rapidly fanned out across multiple wallets to complicate tracing. The transaction interacts with **pump.fun**, **Raydium**, and **MarginFi** programs — all named in public reporting of this incident.

**Important caveat:** The graph metadata explicitly warns that candidate transactions were sourced from Solana RPC `getSignaturesForAddress` queries on a Solscan-linked wallet cited by crypto.news. These transactions are **fixtures requiring manual role review** before being treated as verified exploit transactions. Confidence across all candidate edges is rated **low**.

---

## 2. Input Transaction

| Field | Value |
|---|---|
| **Signature** | `case:pumpfun-insider-flashloan-swarm-2024-05` |
| **Block Time** | 2026-05-01T10:19:47.732Z |
| **Signer(s)** | pump.fun 35-tx exploit swarm |
| **Programs Involved** | pump.fun, Raydium, MarginFi |
| **Native Transfers** | 11 outgoing transfers from "Merged attack source" |
| **Token Transfers** | None recorded |
| **Native Balance Deltas** | None recorded |
| **Token Balance Deltas** | None recorded |

The input transaction represents a **case-level aggregation** rather than a single on-chain transaction. It combines source-reported entities and candidate transaction fixtures into a unified investigative graph.

---

## 3. Victim-Side Fund Flow

**Victim wallet:** `pump.fun 35-tx exploit swarm` (risk score: 0.35)

| Fact | Detail |
|---|---|
| Incident date | 2024-05-16 to 2024-05-17 |
| Severity | Critical |
| Reported loss | $1.9M / 12,300 SOL (pump.fun post-mortem); ~2,000 SOL directly drained per some analyses |
| Incident type | Reported insider / service-account flash-loan bonding-curve exploit |

The victim node represents the **protocol-level or user-facing victim context**. The graph records a single edge from the victim to the "Merged attack source" node, representing the reported initial exploit movement of 54,286 USD/SOL-equivalent units. No further downstream victim-side wallet activity is depicted in this graph slice.

---

## 4. Suspect-Side Fund Flow

**Suspect wallet:** `Merged attack source` (risk score: 0.92)

The suspect node received funds from the victim context and subsequently distributed them to **11 distinct destination wallets** in a rapid fan-out pattern:

| # | Destination (truncated) | Amount | Token | Edge Role |
|---|---|---|---|---|
| 1 | `ZQHT6LrW...H4FEXE` | 54,286 | SOL/token | funding |
| 2 | `fxcUBpnc...qWW` | 54,286 | SOL/token | funding |
| 3 | `n8PGr6th...boD` | 54,286 | SOL/token | funding |
| 4 | `4Wz3rHHw...oqBU` | 54,286 | SOL/token | funding |
| 5 | `2NuRckNN...wram` | 54,286 | SOL/token | funding |
| 6 | `5sVX4cGL...Aa8i` | 54,286 | SOL/token | funding |
| 7 | `4vdqFS2U...9rH` | 54,286 | SOL/token | funding |
| 8 | `31fizNwZ...zHVq` | 54,286 | SOL/token | funding |
| 9 | `UqSjsBMY...BtTJ` | 54,286 | SOL/token | funding |
| 10 | `2Tyy8kHg...z3rT` | 54,286 | SOL/token | funding |

Additionally, the graph contains **25 further candidate transactions** (tx #11 through #35) linked to the suspect node, classified as "other" or "split" roles. These include 10 transactions labeled as "split" role, suggesting additional fund fragmentation activity.

**Total fan-out degree:** 10 (funding) + additional "other" and "split" edges
**Unique destination count:** 11
**Max single-hop amount:** 54,286 units

The equal-amount distribution across 10+ wallets in a single movement is characteristic of a **split-and-scatter exit** pattern, where funds are deliberately fragmented to hinder tracing.

---

## 5. Wallets Involved

| Node ID | Type | Role | Label | Risk Score |
|---|---|---|---|---|
| `victim-pumpfun-insider-flashloan-swarm-2024-05` | wallet | victim | pump.fun 35-tx exploit swarm | 0.35 |
| `case-pumpfun-insider-flashloan-swarm-2024-05` | wallet | suspect | Merged attack source | 0.92 |
| `entity-...-0-reported-attack-wallet` | wallet | intermediate | Reported attack wallet | 0.52 |
| `entity-...-1-pump-fun` | wallet | program | pump.fun | 0.52 |
| `entity-...-2-raydium` | program | program | Raydium | 0.52 |
| `entity-...-3-marginfi` | program | program | MarginFi | 0.52 |
| `entity-...-4-slerf-saga-holder-airdrop-context` | wallet | intermediate | SLERF / SAGA / holder airdrop context | 0.52 |
| `memory-pumpfun-insider-flashloan-swarm-2024-05` | pattern | memory | Flash Loan Swarm | 0.86 |

**Notes on intermediate nodes:**
- The **"Reported attack wallet"** is linked from crypto.news/Gotbit social reporting as buying pump.fun tokens within minutes of launch.
- The **SLERF/SAGA/holder airdrop context** node references public reporting about random airdrops to specific holder communities.

---

## 6. Evidence Table

| Signature | From | To | Amount | Token | Interpretation |
|---|---|---|---|---|---|
| `case:pumpfun-insider-flashloan-swarm-2024-05` | victim-pumpfun-insider-flashloan-swarm-2024-05 | case-pumpfun-insider-flashloan-swarm-2024-05 | 54,286 | USD/SOL | reported insider / service-account flash-loan bonding-curve exploit |
| `ZQHT6LrWT3RbtrcAXp1WF9GNKakh646DYCSrbU2WfnHa39U8Y4A6wRfiRZyi732SSaaLivyEcrx1PEQFRH4FEXE` | case-pumpfun-insider-flashloan-swarm-2024-05 | ZQHT6LrWT3RbtrcAXp1WF9GNKakh646DYCSrbU2WfnHa39U8Y4A6wRfiRZyi732SSaaLivyEcrx1PEQFRH4FEXE | 54,286 | SOL/token | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `fxcUBpnc5pZKoVUrry8WxX3kyi3dLZoHyKUtJJC62PbS8mSAc97Kui814EaBpod1UtEREBymELRVm2W4yjxPqWW` | case-pumpfun-insider-flashloan-swarm-2024-05 | fxcUBpnc5pZKoVUrry8WxX3kyi3dLZoHyKUtJJC62PbS8mSAc97Kui814EaBpod1UtEREBymELRVm2W4yjxPqWW | 54,286 | SOL/token | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `n8PGr6th5m5NbzkpbpouFuxCen8QnDVCDUAPTgACyCBodr6zQh8sxV55ikXowYEuHcL22DzUwCUG5EH2bosSboD` | case-pumpfun-insider-flashloan-swarm-2024-05 | n8PGr6th5m

## 6. Evidence Table
| Signature | From | To | Amount | Token | Timestamp | Interpretation |
|---|---|---|---:|---|---|---|
| `case:pum...024-05` | `victim-p...024-05` | `case-pum...024-05` | 54286.000000 | USD/SOL | unknown | reported insider / service-account flash-loan bonding-curve exploit |
| `ZQHT6LrW...H4FEXE` | `case-pum...024-05` | `ZQHT6LrW...H4FEXE` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `fxcUBpnc...jxPqWW` | `case-pum...024-05` | `fxcUBpnc...jxPqWW` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `n8PGr6th...osSboD` | `case-pum...024-05` | `n8PGr6th...osSboD` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `4Wz3rHHw...oqoqBU` | `case-pum...024-05` | `4Wz3rHHw...oqoqBU` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `2NuRckNN...6gwram` | `case-pum...024-05` | `2NuRckNN...6gwram` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `5sVX4cGL...CoAa8i` | `case-pum...024-05` | `5sVX4cGL...CoAa8i` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `4vdqFS2U...UKH9rH` | `case-pum...024-05` | `4vdqFS2U...UKH9rH` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `31fizNwZ...qnzHVq` | `case-pum...024-05` | `31fizNwZ...qnzHVq` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `UqSjsBMY...c4BtTJ` | `case-pum...024-05` | `UqSjsBMY...c4BtTJ` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `2Tyy8kHg...tHz3rT` | `case-pum...024-05` | `2Tyy8kHg...tHz3rT` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |