# RugTrace 调查报告

![Case-level investigation graph](/case-reports/pumpfun-insider-flashloan-swarm-2024-05/graph.svg)

## 1. 执行摘要
本报告分析了一起与 pump.fun 协议相关的疑似闪电贷与内部信息利用事件。根据公开报告及链上数据，攻击者疑似利用服务账户漏洞，通过闪电贷在 bonding curve 上进行操作，导致约 190 万美元（或 12,300 SOL）的资金损失。资金流分析显示，攻击来源（“Merged attack source”）在获得资金后，迅速将大额资金（每笔 54,286 SOL/token 单位）分散至至少 11 个不同的候选交易地址，呈现出典型的“分散-打散”退出模式。本报告基于提供的交易与图数据，旨在梳理资金流向，识别相关实体，并评估与已知攻击模式的匹配度。

## 2. 输入交易
- **交易签名**: `case:pumpfun-insider-flashloan-swarm-2024-05`
- **区块时间**: 2026-05-01T10:19:47.732Z
- **签名者**: `pump.fun 35-tx exploit swarm` (受害者上下文)
- **涉及程序**: pump.fun, Raydium, MarginFi
- **交易性质**: 该交易为案例级聚合节点，代表了整个攻击事件的资金流起点。其原生转账列表显示了从攻击来源向多个地址的分散过程。

## 3. 受害者资金流
- **受害者钱包**: `pump.fun 35-tx exploit swarm`
- **资金流出**: 根据图数据，受害者钱包向“Merged attack source”转移了 54,286 USD/SOL 单位的资金。此转移被标记为“报告的内部人/服务账户闪电贷 bonding curve 漏洞利用”。
- **事件背景**: 据报告，该事件发生在 2024 年 5 月 16 日至 17 日，严重程度为“严重”，涉及金额约 190 万美元或 12,300 SOL（部分分析指出约 2,000 SOL 被直接抽走）。

## 4. 嫌疑人资金流
- **嫌疑人钱包**: `Merged attack source` (风险评分: 0.92)
- **资金分散**: 攻击来源在收到资金后，通过 11 笔独立的原生转账，将每笔 54,286 SOL/token 单位的资金分别发送至以下 11 个不同的地址。这些转账均被标记为“候选交易”，来源于 Solana RPC 查询，与 crypto.news 报道的钱包相关，但需要人工审查确认其角色。
    1. `ZQHT6LrWT3RbtrcAXp1WF9GNKakh646DYCSrbU2WfnHa39U8Y4A6wRfiRZyi732SSaaLivyEcrx1PEQFRH4FEXE`
    2. `fxcUBpnc5pZKoVUrry8WxX3kyi3dLZoHyKUtJJC62PbS8mSAc97Kui814EaBpod1UtEREBymELRVm2W4yjxPqWW`
    3. `n8PGr6th5m5NbzkpbpouFuxCen8QnDVCDUAPTgACyCBodr6zQh8sxV55ikXowYEuHcL22DzUwCUG5EH2bosSboD`
    4. `4Wz3rHHwUfvPkZeqpSoeZmKsgpVuBqKvZ6CRryz9WusAZ8PSJNaqnKu3hRUXG3KWs5Uwo4AnZzJo7qjpNFoqoqBU`
    5. `2NuRckNNyKwRbe8b3QrsoDs9AJNn8efJydnyZTaL5Kehs6WG7tp78btVfUDtP8s5TcweGbPE6iyBvnZEvh6gwram`
    6. `5sVX4cGLzfFvRgDwavrM8F6WiJaYPQ2YBaSv7BqD8EmiyyC6kEGQFxVgLcxyv2PYYyNjb6RAtsWW3FJcpyCoAa8i`
    7. `4vdqFS2UiPcPvjMR3oiJsxTUnJEV8YxZSpkKmSWena2vzTmvSo8PmgQQzaddy5wQr7MF14xTts7muFV6rUUKH9rH`
    8. `31fizNwZU3Zktu7SYuWy7niJRHjJQAsRG4aV9T5JKiSLCSUdvmkefBRH9nvebfotiqdtqQzjADSAna83RfqnzHVq`
    9. `UqSjsBMYKEDH8ewCVDPRzVDDynMK4cxosBtiot4H99D97dPT5YsBZ7CTwVQCg1AtXEuJMS1KJXo9pgoJQc4BtTJ`
    10. `2Tyy8kHgNivE9fdC6EkupFq5W17LH7HXKmLyd763qjbMRMgvQ1xiPaAVyAzN7WpzBFQbnMLdWRjAu43iygtHz3rT`
- **模式特征**: 资金从单一来源快速、等额地流向多个目的地，符合“扇出”和“分散”模式。

## 5. 钱包/实体涉及
| 节点ID | 类型 | 角色 | 标签 | 风险评分 | 备注 |
| :--- | :--- | :--- | :--- | :--- | :--- |
| `victim-pumpfun-insider-flashloan-swarm-2024-05` | 钱包 | 受害者 | pump.fun 35-tx exploit swarm | 0.35 | 案例级受害者上下文。 |
| `case-pumpfun-insider-flashloan-swarm-2024-05` | 钱包 | 嫌疑人 | Merged attack source | 0.92 | 案例级聚合节点，来自源报告的可疑资金流。 |
| `entity-pumpfun-insider-flashloan-swarm-2024-05-0-reported-attack-wallet` | 钱包 | 中间人 | Reported attack wallet |

## 6. Evidence Table
| Signature | From | To | Amount | Token | Timestamp | Interpretation |
|---|---|---|---:|---|---|---|
| `case:pum...024-05` | `victim-p...024-05` | `case-pum...024-05` | 54286.000000 | USD/SOL | unknown | reported insider / service-account flash-loan bonding-curve exploit |
| `ZQHT6LrW...H4FEXE` | `case-pum...024-05` | `ZQHT6LrW...H4FEXE` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `fxcUBpnc...jxPqWW` | `case-pum...024-05` | `fxcUBpnc...jxPqWW` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `n8PGr6th...osSboD` | `case-pum...024-05` | `n8PGr6th...osSboD` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `4Wz3rHHw...oqoqBU` | `case-pum...024-05` | `4Wz3rHHw...oqoqBU` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `2NuRckNN...6gwram` | `case-pum...024-05` | `2NuRckNN...6gwram` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `5sVX4cGL...CoAa8i` | `case-pum...024-05` | `5sVX4cGL...CoAa8i` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `4vdqFS2U...UKH9rH` | `case-pum...024-05` | `4vdqFS2U...UKH9rH` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `31fizNwZ...qnzHVq` | `case-pum...024-05` | `31fizNwZ...qnzHVq` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `UqSjsBMY...c4BtTJ` | `case-pum...024-05` | `UqSjsBMY...c4BtTJ` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |
| `2Tyy8kHg...tHz3rT` | `case-pum...024-05` | `2Tyy8kHg...tHz3rT` | 54286.000000 | SOL/token | unknown | Candidate tx from Solana RPC getSignaturesForAddress on the Solscan-linked wallet cited by crypto.news; dense graph fixture, needs manual role review. |