Written by: Karen, Foresight News
On the evening of November 25, the address marked as the creator of RIF and URO on pump.fun issued the Urolithin B (URO) token, which led many community members to mistakenly believe that this was an officially issued token by pump.science. Urolithin B (URO) quickly 'graduated', and within two minutes after joining the liquidity pool, its market value surged to 10 million USD; however, it then began to decline continuously and has now fallen back to about 100,000 USD.
This incident seems to have affected the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which fell more than 30% within 24 hours. So, what exactly is going on?
The wallet key pair of pump.science was leaked.
The incident was caused by the leak of the wallet key pair of pump.science.
According to official sources from pump.science, due to a negligence in their GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, and the attacker found the key pair in the website's source code. This key pair was initially used for testing purposes in pump.science's GitHub, and the development team did not realize its importance.
From the scam URO token page that appeared on pump.fun last night, it can be seen that the wallet address deploying this fake token is T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address had previously deployed the official tokens Urolithin A (URO) and Rifampicin (RIF), which currently have market values of approximately 87 million USD and 37 million USD, respectively.
The scam URO token was issued on-chain by a wallet address starting with the leaked key pair T5j2UBT. This is precisely why it shows on pump.fun that the official URO and RIF token deployers released the new coin.
pump.science stated that this wallet was marked as the off-chain creator of URO and RIF on pump.fun, and the attacker may use this wallet to issue more tokens. Any other tokens issued by this wallet, besides URO and RIF, should be considered scams.
It is worth noting that pump.science has not taken any remedial or compensatory measures for users who mistakenly believed and purchased the scam URO tokens, which has sparked widespread concern and discussion in the community.
The off-chain creation function of pump.fun caused confusion in the blockchain browser and data tools.
The display of token creators in pump.fun and the blockchain browser and data tools has also raised doubts within the community.
The official URO and RIF tokens of pump.science were created off-chain through pump.fun, while the scam URO was created on-chain through pump.fun. However, the blockchain browser solscan shows that the deployer address for Urolithin A (URO) and Rifampicin (RIF) is: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.
Next, let's first understand the off-chain token issuance feature of pump.fun. On the pump.fun platform, off-chain token issuance is free, and tokens will not be recorded on-chain until a first buyer appears. The first buyer needs to pay for the token issuance cost. Therefore, for tokens created off-chain, the first buyer is often mistakenly regarded as the deployer of the tokens by data tools like solscan or GMGN.
For example, after the official URO and RIF tokens were created off-chain, the wallet address of the first buyer, BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ, was mistakenly marked as the deployer of the tokens by solscan or GMGN.
Here, the author reminds investors to distinguish and verify the tokens created on-chain and off-chain in pump.fun before investing in Meme tokens to avoid falling into scam traps. Additionally, it is necessary to remain vigilant regarding any potential tokens issued by the wallet starting with T5j2UBTvLY that was leaked from pump.science. We also hope that the platform and token deployers can enhance security measures to prevent such scams from happening again.