Recently, a major security incident occurred on the pump.science platform, resulting in the leakage of its wallet private key, which in turn triggered a controversy related to the issuance of counterfeit currency. This article will delve into the background, impact and implications of this incident for the community. (Preliminary summary: DeSci’s decentralized science track is very popular, but does it really need meme coins?) (Background supplement: CZ rarely expresses its position: It is not opposed to the development of meme coins, but the current trend is a bit strange...) 11 On the evening of March 25, Urolithin B (URO) tokens were issued at addresses marked as the founders of RIF and URO on pump.fun, which led many community members to mistakenly believe that these were officially issued tokens by pump.science. Urolithin B (URO) "graduated" quickly, and within two minutes after being added to the liquidity pool, its market value soared to $10 million. However, it then began to continue to fall, and its current market value has fallen back to about $100,000. The incident also appears to have had an impact on the market performance of Urolithin A (URO) and Rifampicin (RIF), with both down more than 30% in 24 hours. So, what is going on? The pump.science wallet key pair was leaked. The cause of the incident was the leak of pump.science’s wallet key pair. According to pump.science officials, due to an oversight in its GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, and the attacker found the key pair in the source code of the website. This key pair was used for testing purposes in pump.science's GitHub from the beginning, and the development team was not aware of its importance. As can be seen from the fraudulent URO token page that appeared on pump.fun last night, the wallet address where this fake token was deployed is exactly T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address has deployed two official tokens, Urolithin A (URO) and Rifampicin (RIF) off-chain, with current market values ​​of approximately US$87 million and US$37 million respectively. This time the fraudulent URO token was issued on the chain by the address starting with T5j2UBT that leaked the key pair. This is exactly why on pump.fun it appears that new coins have been released by the deployers of the official URO and RIF tokens. According to pump.science, the wallet is hosted on pump.Off-chain token builders marked as URO and RIF on fun. Attackers may use this wallet to issue more tokens. In addition to URO and RIF, any other tokens issued by this wallet should be considered a scam. . It is worth noting that pump.science officials did not take any remedial or compensatory measures for those users who misbelieved and took over the fraudulent URO tokens, which aroused widespread concern and heated discussion in the community. The off-chain creation function of pump.fun caused confusion in the display of blockchain browsers and data tools. What also aroused community concerns was the display of token creators in pump.fun and the blockchain browser and data tools. pump.science official URO and RIF tokens are created off-chain via pump.fun, while scam UROs are created on-chain via pump.fun. However, the blockchain browser solscan shows that the deployer address of Urolithin A (URO) and Rifampicin (RIF) is: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ. Next, let us first understand the off-chain currency issuance function of pump.fun. On the pump.fun platform, issuance of tokens off-chain is free. The tokens will not be uploaded to the chain immediately after they are issued. They will not be recorded on the chain until the first buyer appears. The first buyer needs to pay the issuance cost of the token. Therefore, for tokens established off-chain, the first purchaser is often mistaken as the deployer of the token by information tools such as blockchain browsers solscan or GMGN. For example, after the official URO and RIF tokens were established off-chain, the wallet address of the first purchaser, BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ, was incorrectly flagged by solscan or GMGN as the deployer of the tokens. Here, the author reminds investors that when investing in Meme tokens, pay attention to distinguishing between tokens established on the pump.fun chain and off-chain and verifying them to prevent falling into a fraud trap. Also, be wary of any potential tokens issued by wallets starting with T5j2UBTvLY leaked by pump.science. At the same time, we also hope that the platform and token deployers can enhance security measures to prevent such fraud from happening again. Related Stories What do VCs think of the current meme coin craze? How long can Meme last in this cycle? Bitrace launches (Complete Web3 anti-fraud manual): 6 extreme deceptions lurking on the chain. Be careful!Netizens used ChatGPT to develop a coin-speculating robot with a "buried backdoor." The private key was leaked and the wallet was instantly emptied. "Pump.science private key was leaked, and counterfeit currency was issued to harvest retail investors. The inside story of the crash." This article was first published on BlockTempo ( DongZuDongCha - the most influential blockchain news media).