Original Title: (pump.science Wallet Private Key Leak: An Unfinished Storm)
Original Author: Karen, Foresight News
On the evening of November 25, an address marked as the creator of RIF and URO on pump.fun issued Urolithin B (URO) tokens, which led many community members to mistakenly believe that this was an official token issued by pump.science. Urolithin B (URO) quickly 'graduated', and within two minutes of joining the liquidity pool, its market value soared to $10 million, but then began to decline continuously, and its current market value has fallen back to about $100,000.
This event seems to have also impacted the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which dropped over 30% within 24 hours. So, what exactly is going on?
pump.science wallet key pair leaked
The cause of the event was the leakage of the wallet key pair from pump.science.
According to pump.science officials, due to a negligence in their GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, with attackers finding the key pair in the website's source code. This key pair was originally used for testing purposes in pump.science's GitHub and the development team did not realize its importance.
From the scam URO token page that appeared on pump.fun last night, we can see that the wallet address deploying this fake token is T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address had previously deployed the two official tokens Urolithin A (URO) and Rifampicin (RIF), which currently have market values of approximately $87 million and $37 million, respectively.
The scam URO tokens were issued on-chain by a wallet starting with the leaked key pair T5j2UBT. This is exactly why it shows on pump.fun that the deployer of the official URO and RIF tokens has released new coins.
pump.science indicates that this wallet has been marked as the off-chain token creator for URO and RIF on pump.fun. Attackers may exploit this wallet to issue more tokens, and any other tokens issued by this wallet, apart from URO and RIF, should be considered scams.
It is worth noting that pump.science has not taken any remedial or compensatory measures for those users who mistakenly believed and took the scam URO tokens, which has caused widespread concern and discussion in the community.
The off-chain creation function of pump.fun caused confusion in blockchain explorers and data tools.
There are also questions from the community about the token creator display in pump.fun and blockchain explorers and data tools.
The official URO and RIF tokens are created off-chain via pump.fun, while scam URO is created on-chain via pump.fun. However, the blockchain explorer solscan shows that the deployer address for Urolithin A (URO) and Rifampicin (RIF) is: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.
Next, let's first understand the off-chain token issuance function of pump.fun. On the pump.fun platform, off-chain token issuance is free, and the tokens will not be recorded on-chain immediately after issuance until a first buyer appears. The first buyer needs to pay the token issuance cost. Therefore, for tokens created off-chain, the first buyer is usually mistakenly identified as the token deployer by blockchain explorers like solscan or GMGN.
For example, after the official URO and RIF tokens were created off-chain, the wallet address BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ of the first buyer was incorrectly marked by solscan or GMGN as the token deployer.
Here, the author reminds investors to distinguish between tokens created on-chain and off-chain on pump.fun and to verify them when investing in Meme tokens to avoid falling into scam traps. Additionally, they should remain vigilant about any potential tokens issued by wallets starting with T5j2UBTvLY leaked by pump.science. At the same time, we hope that platform providers and token deployers can enhance security measures to prevent such scams from happening again.
Original Link
