Decentralized science platform Pump Science has warned users of fraudulent tokens deployed via its Pump.fun account after its private key was leaked on GitHub.

According to a Nov. 27 announcement, the attacker managed to acquire private keys linked to its account on Pump.fun through a GitHub leak, enabling the creation of fraudulent tokens such as Urolithin B through to E (URO) and Cocaine (COKE) under Pump Science’s compromised profile.

Pump Science’s platform focuses on creating tokens tied to longevity medicine research. The project describes itself as a gamified longevity research initiative and aims to connect token holders with intellectual property rights for chemical compounds. It allows token holders to sell “intervention” rights to suppliers, integrating research and commerce.

Rifampicin (RIF) and Urolithin A (URO) are the only two tokens the project has launched. Rifampin, an antibiotic, is used to treat tuberculosis, while Urolithin A is studied for its potential to enhance mitochondrial function and muscle health. Prices of both RIF and URO tanked over 25% following the exploit.

Pump Science has advised users to avoid buying or interacting with any new tokens originating from the “pscience PumpFun profile,” warning that the attacker still has access to the compromised wallet.

Based on the post-attack report, the leak occurred due to private keys tied to the profile being inadvertently published in the project’s GitHub codebase.

Pump Science said the leak stemmed from an oversight on the part of BuilderZ, a Solana-based software development behind the development of the project, for leaving the private key for the developer wallet “T5j2U…jb8sc” in its GitHub codebase. The firm had mistakenly identified the keys as belonging to a test wallet and hence considered it “non-important.”

“[BuilderZ] left the private key to T5j in the codebase thinking that it was not the dev wallet, which it wasn’t, but this appeared so on the http://pump.fun front end due to the free token creation feature,” the project wrote.

Pump Science has renamed its Pump.fun profile to “dont_trust” and is collaborating with blockchain security firm Blockaid to flag fraudulent mints originating from the compromised address to avoid further exploitation. 

To address security concerns, the platform has vowed to do a complete audit of its front-end system and plans to run bug bounty programs for penetration testing. Further, future token launches will only occur after full app and smart contract audits, and the platform confirmed it will no longer launch tokens on Pump.fun.

Meanwhile, the community has criticized the project’s handling of the breach, with some users labeling it a scam and others questioning its operational competence. See below.

https://twitter.com/Jarred_Za/status/1861522562104123761

Private key leaks are among the leading causes of security breaches in the decentralized space. Blockchain analytics firm CertiK reported that in Q3 2024, such leaks were the second most costly attack vector, resulting in $324.4 million stolen across 10 incidents.



Read the full article here

Share.

Leave A Reply

Your road to financial

freedom starts here

With our platform as your starting point, you can confidently navigate the path to financial independence and embrace a brighter future.

Registered address:

First Floor, SVG Teachers Credit Union Uptown Building, Kingstown, St. Vincent and the Grenadines

CFDs are complex instruments and have a high risk of loss due to leverage and are not recommended for the general public. Before trading, consider your level of experience, relevant knowledge, and investment objectives and seek financial advice. Vittaverse does not accept clients from OFAC sanctioned jurisdictions. Also, read our legal documents and make sure you fully understand the risks involved before making any trading decision

Exit mobile version