Original author: Karen, Foresight News reprinted by: Luke, Mars Finance
On the evening of November 25, the address marked as the creator of RIF and URO on pump.fun issued Urolithin B (URO) tokens, which led many community members to mistakenly believe that this was an official token issued by pump.science. Urolithin B (URO) quickly 'graduated' and its market value soared to 10 million dollars within two minutes of joining the liquidity pool, but then it began to decline continuously, and its market value has now dropped to about 100,000 dollars.
This incident seems to have also affected the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which fell more than 30% within 24 hours. So, what exactly is going on?
pump.science wallet key pair leaked
The incident was triggered by the leak of the wallet key pair of pump.science.
According to the official pump.science, due to an oversight in its GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, and the attacker found the key pair in the source code of the site. This key pair was originally used for testing purposes in the pump.science GitHub, and the development team did not realize its significance.
From the fraudulent URO token page that appeared on pump.fun last night, it can be seen that the wallet address deploying this fake token is T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address had previously deployed the official tokens Urolithin A (URO) and Rifampicin (RIF), which currently have market values of approximately 87 million dollars and 37 million dollars, respectively.
The fraudulent URO token was issued on-chain by an address starting with the leaked key pair T5j2UBT. This is why it shows on pump.fun that the deployer of the official URO and RIF tokens released new coins.
pump.science stated that this wallet was marked as the off-chain token creator of URO and RIF on pump.fun, and the attacker might use this wallet to issue more tokens; any other tokens issued by this wallet, apart from URO and RIF, should be regarded as fraudulent.
It is worth noting that the official pump.science has not taken any remedial or compensatory measures for those users who mistakenly believed and took over the fraudulent URO tokens, which has caused widespread attention and discussion in the community.
The off-chain creation function of pump.fun causes confusion in blockchain explorers and data tools
What raised community doubts were also the creators of tokens displayed on pump.fun and blockchain explorers as well as data tools.
The official URO and RIF tokens of pump.science were created off-chain through pump.fun, while the fraudulent URO was created on-chain via pump.fun. However, the blockchain explorer solscan shows that the deployer address for Urolithin A (URO) and Rifampicin (RIF) is: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.
Next, let's first understand the off-chain token issuance function of pump.fun. On the pump.fun platform, off-chain issuance of tokens is free, and the tokens will not be recorded on-chain until there is a first buyer. The first buyer needs to pay the cost of token issuance. Therefore, for tokens created off-chain, the first buyer is often mistakenly identified as the deployer of the token by blockchain explorers like solscan or data tools like GMGN.
For example, after the official URO and RIF tokens were created off-chain, the wallet address of the first buyer BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ was incorrectly marked as the deployer of the token by solscan or GMGN.
Here, the author reminds investors to distinguish and verify tokens created on and off the pump.fun chain when investing in Meme tokens to avoid falling into fraudulent traps. In addition, one should remain vigilant regarding any potential tokens issued by wallets starting with T5j2UBTvLY leaked by pump.science. At the same time, we hope that the platform and token deployers can enhance security measures to prevent such fraud from happening again.