The recent out-of-order live broadcast of Pump.fun has also caused an uproar, and Pump Science, a decentralized science (DeSci) platform that also has Pump in its name, recently had its private keys leaked, resulting in the proliferation of fraudulent tokens. Pump Science immediately apologized to users on Twitter live and announced a solution at the same time, promising to focus on platform security in the future to avoid similar incidents from happening again.
DeSci platform Pump Science focuses on medical tokens
Pump Science is a decentralized science (DeSci) platform focused on longevity medicine that allows the trading of healthcare-related tokens. Currently, Pump Science only has two official tokens, namely Urolithin A (URO) and Rifampicin (RIF). The URO token currently has a market cap of $33.2 million, while the RIF token has a market cap of $80.54 million.
(Note: Urolithin A is a dietary supplement that mainly regulates mitochondrial activity and has antioxidant and anti-inflammatory effects. Rifampicin is a drug for the treatment of tuberculosis.)
Private keys are leaked and fraudulent tokens are rampant
Pump Science stated on Twitter from November 25 to 26 that the private key of its wallet on Pump.fun (the address starts with T5j2U) was accidentally exposed in the GitHub code and was stolen by hackers. Pump Science originally thought this was a small wallet for testing, and didn’t think it was important, so I didn’t care about it.
The problem is that the wallet whose address starts with T5j2U is marked on Pump.fun as the "creator" of the two tokens URO and RIF, but in fact the real creator is another wallet with an address that starts with BLDRZQ.
After Pump Science was stolen, it immediately checked the transaction records on the chain and found that BLDRZQ was the first wallet to buy URO and RIF tokens, which led other trading platforms to think that the BLDRZQ wallet was the real "token creator." Because this information is inconsistent, the importance of the T5j2U wallet is ignored, which gives hackers an opportunity to attack. It is also used by hackers to create multiple fraudulent tokens such as Urolithin B to Urolithin E ($URO) and Cocaine ($ COKE) etc.
Pump Science emphasized: "These tokens were not created by our team. This wallet address has been stolen by hackers. Do not purchase any new tokens deployed by the T5j2U wallet." To prevent more people from being fooled, Pump Science has posted The .fun account name was changed to “dont_trust” and it partnered with blockchain security company Blockaid to mark all newly issued token activity from the T5j2U address.
Pump Science went to the front line to explain why it was misappropriated. Officials bluntly stated that they would never use Pump.fun to issue coins again.
On November 27, Pump Science CEO Benji Leibowitz publicly apologized live on Twitter, admitting that this was a major mistake. Leibowitz said bluntly: "We admit that this is really a big oversight. We are very sorry and will never use Pump.fun to issue tokens in the future."
The CEO of Pump Science goes to the fire line to apologize. BuilderZ is suspected of being partly responsible, and the official launches an investigation.
Pump Science placed some of the blame on BuilderZ, the development team of the Solana ecosystem, saying that BuilderZ mistakenly put the private key of the developer's wallet address (T5j2U) into GitHub and was mistaken for the private key of the test wallet.
The Pump Science team then began analyzing the identity of the hacker and were the first to suggest that the hacker was unlikely to be BuilderZ because the way tokens were deployed to Solana was different from BuilderZ’s mechanism. Pump Science believes that the hackers are more likely to be the same group who previously invaded the wallet of James Pacheco, the founder of Solana’s commodity tokenization platform “elmnts”.
Commitment to thorough review to ensure safety, target to be online again before the end of the year
Pump Science also announced a series of solutions, including a complete review of the platform's front-end and protocols, and launched a bug bounty program to invite white hat hackers to conduct penetration testing. In addition, officials also stated that they will continue to optimize private key management to ensure security. Pump Science has promised that new tokens will not be issued until a comprehensive review is completed, with the goal of having the Pump Science platform back online by the end of the year.
(Terrorism, imprisoning grandma, threatening to shoot up schools are all coming! Pump.fun slams on the brakes, and the platform announces that it will remove the live broadcast function)
This article DeSci platform Pump Science made an mistake: the leakage of private keys caused a scandal of fraudulent tokens, and promised not to use Pump.fun to issue coins. First appeared on Chain News ABMedia.