Pump Science partially blamed Solana-based software firm BuilderZ for leaving the private key to the dev wallet address on GitHub for the public to see.
4596 Total views
5 Total shares
Update (Nov. 28, 9:48 pm UTC): This article has been updated to clarify which private key was compromised and additional context on how the fake tokens were created.
Decentralized science (DeSci) platform Pump Science apologized to its users after its private key was leaked on GitHub, allowing a “known attacker” to create fraudulent tokens using its Pump.fun profile.
“We do not want to diminish how much of a screw-up this was, we totally acknowledge that this is a huge issue and misstep on our part,” Pump Science’s Benji Leibowitz said in an ask-me-anything (AMA) session hosted on X on Nov. 27.
“This absolutely will not happen again,” he said, adding:
“We’re never gonna launch tokens on pump.fun ever again.”
In earlier X posts on Nov. 25 and 26, Pump Science explained that private keys linked to its Pump.fun profile (pscience) were leaked on its GitHub, allowing the hacker to use it to create new, fraudulent tokens, including Urolithin B through to Urolithin E ($URO) and Cocaine ($COKE).
“Do not trust any new tokens launched from the pscience PumpFun profile,” Pump Science stressed.
“These were not created by our team and this wallet is compromised.”
Since the incident, Pump Science has changed its Pump.fun profile name to “dont_trust” to prevent people from buying fraudulent tokens, and it said it has partnered with blockchain security firm Blockaid to flag new mints coming from this address.
Pump Science partially blamed Solana-based software firm BuilderZ for leaving the private key for the offchain wallet address “T5j2U…jb8sc” in its GitHub codebase.
They thought these private keys were non-material because it was the offchain token address used to create the RIF and URO tokens, Pump Science explained to Cointelegraph.
The DeSci platform said the attacker couldn’t have been BuilderZ because the onchain token deployer address for the fraudulent tokens differed from the onchain address of the official Pump Science tokens.
”The onchain token create address does not match the onchain address that was used to create the URO and RIF tokens,” Pump Science said.
Pump Science suspects the hacker was the same person or group that hacked a wallet owned by James Pacheco, a founder at Solana-based commodity tokenization platform elmnts.
The DeSci protocol said it would conduct a “complete audit” of its front end and for future releases, run a bug bounty for penetration testing of the protocol and explore improved solutions for key management and security.
“New tokens will launch on pump science only after we have fully audited the app and smart contracts to ensure pump science is secure. Hopefully, we can make it by the holidays.”
Related: Decentralized science is like early DeFi in 2019: Crypto VC
Pump Science’s platform allows the trading of tokens tied to longevity medicines.
Its only two tokens are Rifampicin (RIF) and Urolithin A (URO), which boast market caps of $85.6 million and $37.2 million, respectively, CoinGecko data shows.
Rifampin is used to treat tuberculosis, while Urolithin A is a dietary supplement that modulates mitochondrial activity, offering potential antioxidant and anti-inflammatory benefits.
Magazine: Anti-aging tycoon Bryan Johnson almost devoted his life to crypto