Author: Karen, Foresight News
On the evening of November 25, an address marked as the creator of RIF and URO on pump.fun issued the Urolithin B (URO) token, leading many community members to mistakenly believe it was an official token issued by pump.science. Urolithin B (URO) quickly 'graduated,' and within two minutes of joining the liquidity pool, its market value soared to $10 million, but then began to decline continuously, and the current market value has fallen back to about $100,000.
This incident seems to have also affected the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which fell by more than 30% within 24 hours. So, what exactly is going on?
pump.science wallet key pair leaked
The incident was triggered by the leak of the wallet key pair from pump.science.
According to official sources from pump.science, due to a negligence in its GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, and the attacker found the key pair in the source code of the website. This key pair was used for testing purposes in pump.science's GitHub from the beginning, and the development team did not realize its importance.
From the fraudulent URO token page that appeared on pump.fun last night, it can be seen that the wallet address deploying this fake token is indeed T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address had previously deployed the official tokens Urolithin A (URO) and Rifampicin (RIF), which currently have market values of approximately $87 million and $37 million, respectively.
The fraudulent URO token was issued on-chain by a wallet address starting with the leaked key pair T5j2UBT. This is why it is shown on pump.fun that the official URO and RIF token deployers have released new tokens.
pump.science indicates that this wallet has been marked as the off-chain token creator for URO and RIF on pump.fun. Attackers may exploit this wallet to issue more tokens, and any other tokens issued by this wallet, apart from URO and RIF, should be considered scams.
It is worth noting that pump.science has not taken any remedial or compensatory measures for users who mistakenly believed and bought the fraudulent URO token, which has raised widespread concern and discussion in the community.
Off-chain creation feature of pump.fun causes confusion in blockchain explorers and data tools
There are also concerns within the community regarding the token creators displayed on pump.fun and blockchain explorers and data tools.
The official URO and RIF tokens from pump.science were created off-chain through pump.fun, while the fraudulent URO was created on-chain through pump.fun. However, the blockchain explorer solscan shows that the deployer addresses for Urolithin A (URO) and Rifampicin (RIF) are: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.
Next, let's first understand the off-chain token issuance feature of pump.fun. On the pump.fun platform, off-chain token issuance is free, and tokens will not be recorded on-chain immediately after issuance; they will only be recorded when the first buyer appears. The first buyer has to pay the issuance cost of the tokens. Therefore, for off-chain created tokens, the first buyer is often mistakenly identified as the token deployer by blockchain explorers like solscan or GMGN.
For example, after the official URO and RIF tokens are created off-chain, the wallet address of the first buyer BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ was mistakenly marked by solscan or GMGN as the token deployer.
Here, the author reminds investors to be cautious when investing in meme tokens and to distinguish between tokens created on-chain and off-chain on pump.fun and verify them to avoid falling into scam traps. Additionally, it is necessary to remain vigilant about any potential tokens issued by the wallet starting with T5j2UBTvLY that was leaked from pump.science. We also hope that platform providers and token deployers can enhance security measures to prevent such scams from happening again.