On the night of November 25, an address marked as the creator of RIF and URO on pump.fun issued the Urolithin B (URO) token, leading many community members to mistakenly believe that this was an officially issued token by pump.science. Urolithin B (URO) quickly 'graduated', and within two minutes of joining the liquidity pool, its market value surged to $10 million, but then it began to decline continuously, and its market value has now fallen back to about $100,000.
This incident seems to have affected the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which dropped over 30% within 24 hours. So, what exactly is going on?
pump.science wallet key pair was leaked
The cause of the incident was the leakage of the wallet key pair from pump.science.
According to official information from pump.science, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked due to a negligence in their GitHub repository, where the key pair was found in the website's source code. This key pair was originally used for testing purposes in pump.science's GitHub, and the development team did not realize its significance.
From the fraudulent URO token page that appeared on pump.fun last night, we can see that the wallet address deploying this fake token is T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address had previously deployed the official tokens Urolithin A (URO) and Rifampicin (RIF) off-chain, which currently have market values of approximately $87 million and $37 million, respectively.
The fraudulent URO token was issued on-chain by an address starting with T5j2UBT, which is why it appears that the official URO and RIF token deployers released a new coin on pump.fun.
pump.science stated that this wallet was marked on pump.fun as the off-chain token creator for URO and RIF, and the attacker might use this wallet to issue more tokens. Any other tokens issued by this wallet, aside from URO and RIF, should be considered fraudulent.
It is worth noting that pump.science has not taken any remedial or compensatory measures for users who were misled and acquired the fraudulent URO tokens, which has sparked widespread attention and discussion in the community.
The off-chain creation function of pump.fun causes confusion for blockchain explorers and data tools.
Another point causing confusion in the community is the display of token creators in pump.fun and blockchain explorers and data tools.
The official URO and RIF tokens from pump.science were created off-chain through pump.fun, while the fraudulent URO was created on-chain through pump.fun. However, the blockchain explorer solscan shows that the deployer address for Urolithin A (URO) and Rifampicin (RIF) is: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.
Next, let's first understand the off-chain token issuance feature of pump.fun. On the pump.fun platform, off-chain token issuance is free, and the tokens will not be immediately recorded on-chain until there is a first buyer. The first buyer is required to pay the issuance cost of the token. Therefore, for tokens created off-chain, the first buyer is often mistakenly identified as the token deployer by blockchain explorers such as solscan or GMGN.
For example, after the official URO and RIF tokens were created off-chain, the wallet address of the first buyer, BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ, was incorrectly marked as the token deployer by solscan or GMGN.
Here, I remind investors to be cautious and distinguish between tokens created on-chain and off-chain on pump.fun when investing in meme tokens, to avoid falling into fraud traps. Additionally, remain vigilant about any potential tokens issued by the wallet starting with T5j2UBTvLY that was leaked by pump.science. We also hope that platform operators and token deployers can enhance security measures to prevent such fraudulent activities from happening again.
[Disclaimer] The market carries risks, and investments should be made cautiously. This article does not constitute investment advice, and users should consider whether any opinions, views, or conclusions in this article align with their specific circumstances. Investing based on this is at one's own risk.