Last updated:
Pump Science, a decentralized science (DeSci) platform focused on gamified longevity research, suffered a major security breach when its private key was accidentally exposed in its GitHub codebase.
This critical oversight allowed attackers to gain control of its official Pump.fun crypto wallet, hijack its profile, and mint fraudulent tokens under the platform’s name.
Initially, Pump Science used its Pump.fun profile to launch two legitimate tokens, Urolithin A ($URO) and Rifampicin ($RIF), which were tied to its longevity research initiatives.
However, after the private key for the wallet address “T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc” was exposed, an attacker exploited the vulnerability to mint unauthorized tokens, including Urolithin B through E and Cocaine ($COKE).
These fraudulent tokens misled users into believing they were legitimate offerings.
As a result, prices for the genuine tokens dropped by over 25%, reflecting a sharp decline in community trust and confidence.
Pump Science Private Key Leak: Negligence or Mistake?
According to the team’s report, the breach stemmed from a lapse by BuilderZ, the Solana-based development team behind Pump Science.
The developers inadvertently left the wallet’s private key in the GitHub repository, mistaking it for a test wallet.
This error left the key publicly accessible, and attackers took advantage of the oversight to commandeer the wallet and its associated Pump.fun profile.
Although the wallet in question was not initially intended to serve as the developer’s primary wallet, Pump.fun’s free token creation feature incorrectly linked it to the platform’s official profile, making the fraudulent tokens appear legitimate.
The attacker used their access to the wallet to create fake tokens that appeared to originate from Pump Science.
In response, Pump Science issued warnings urging users to avoid interacting with any new tokens created under its Pump.fun profile or associated wallet address.
To prevent further exploitation, the platform renamed its Pump.fun profile to “@dont_trust.”
It partnered with blockchain security firm Blockaid to flag unauthorized token mints and transactions originating from the compromised address.
Despite these measures, the attacker retains control of the wallet and continues to create fraudulent tokens.
Pump Science has faced heavy criticism from its community, with users accusing the project of negligence and expressing frustration at the lack of adequate preventive measures.
Some have gone as far as labeling the project a scam, citing the security lapse as evidence of deeper incompetence.
Rebuilding Trust and Addressing Vulnerabilities
In the wake of the hack, Pump Science has pledged to undertake a thorough overhaul of its security protocols.
The platform plans to audit its front-end systems and Solana programs to identify and address vulnerabilities.
It has also committed to hosting competitive audits and launching bug bounty programs to ensure the robustness of its infrastructure.
Furthermore, Pump Science has announced that it will not launch any new tokens until its systems have been fully secured and independently verified through comprehensive audits.
The incident is part of a broader challenge facing the decentralized finance (DeFi) ecosystem, particularly the need for rigorous private key management.
According to a recent report by blockchain analytics firm CertiK, private key leaks caused over $324 million in losses across ten incidents during Q3 2024.
Earlier this month, Metawin, a crypto casino platform, also suffered a $4 million hack on November 3, with funds stolen from its Ethereum and Solana hot wallets due to a private key leak.
The stolen funds have been traced to KuCoin and a HitBTC nested service, while the attacker’s identity and motive remain unknown.