Decentralized Science Platform Pump Science Warns of Token Exploit After Private Key Leak

Pump Science, a decentralized science platform focused on creating tokens tied to longevity medicine research, has issued a warning to users after its offchain wallet private key was leaked on the project GitHub.

Private Key Leak and Security Breach

According to a recent announcement, an attacker acquired the private keys to the Pump Science offchain wallet linked to its profile on Pump.fun through a GitHub leak. This enabled the creation of fraudulent tokens, such as Urolithin B through to E (URO) and Cocaine (COKE), under the Pump Science official profile.

Impact on Token Prices

The project has launched only two tokens, Rifampicin (RIF) and Urolithin A (URO). Following the exploit, prices of both RIF and URO tanked over 25%. Pump Science has advised users to avoid buying or interacting with any new tokens originating from the β€œpscience PumpFun profile,” warning that the attacker still has access to the compromised wallet.

Causes of the Leak

The leak occurred due to private keys tied to the profile being inadvertently published in the project’s GitHub codebase. Pump Science attributed the leak to an oversight by BuilderZ, a Solana-based software development behind the development of the project, for leaving the private key for the offchain wallet in its GitHub codebase.

β€œ[BuilderZ] left the private key to T5j in the codebase thinking that it was not the dev wallet, which it wasn’t, but this appeared so on the http://pump.fun front end due to the free token creation feature.”

Measures to Address Security Concerns

To address security concerns, Pump Science has renamed its Pump.fun profile to β€œdont_trust” and is collaborating with blockchain security firm Blockaid to flag fraudulent mints originating from the compromised address. The platform has also vowed to conduct multiple consultative audits, an open competitive audit with Code4rena, and penetration testing. Additionally, a bug bounty program will be launched to continue testing its platform, and it has confirmed that it will no longer launch tokens on Pump.fun.

Community Reaction and Prevalence of Private Key Leaks

The community has criticized the project’s handling of the breach, with some users labeling it a scam and others questioning its operational competence. Private key leaks are a common cause of security breaches in the decentralized space. Blockchain analytics firm CertiK reported that in Q3 2024, such leaks were the second most costly attack vector, resulting in $324.4 million stolen across 10 incidents.

For the latest news on cryptocurrency and blockchain security, stay tuned to Global Crypto News. Follow us for updates on the decentralized space and stay informed about the latest developments in the world of cryptocurrency and finance.