DeSci project Pump Science exploited following private key leak

Decentralized science platform Pump Science has warned users of fraudulent tokens deployed via its Pump.fun account after its private key was leaked on GitHub.

According to a Nov. 27 announcement, the attacker managed to acquire private keys linked to its account on Pump.fun through a GitHub leak, enabling the creation of fraudulent tokens such as Urolithin B through to E (URO) and Cocaine (COKE) under Pump Science’s compromised profile.

Pump Science’s platform focuses on creating tokens tied to longevity medicine research. The project describes itself as a gamified longevity research initiative and aims to connect token holders with intellectual property rights for chemical compounds. It allows token holders to sell “intervention” rights to suppliers, integrating research and commerce.

Rifampicin (RIF) and Urolithin A (URO) are the only two tokens the project has launched. Rifampin, an antibiotic, is used to treat tuberculosis, while Urolithin A is studied for its potential to enhance mitochondrial function and muscle health. Prices of both RIF and URO tanked over 25% following the exploit.

Pump Science has advised users to avoid buying or interacting with any new tokens originating from the “pscience PumpFun profile,” warning that the attacker still has access to the compromised wallet.

Based on the post-attack report, the leak occurred due to private keys tied to the profile being inadvertently published in the project’s GitHub codebase.

Pump Science said the leak stemmed from an oversight on the part of BuilderZ, a Solana-based software development behind the development of the project, for leaving the private key for the developer wallet “T5j2U…jb8sc” in its GitHub codebase. The firm had mistakenly identified the keys as belonging to a test wallet and hence considered it “non-important.”

“[BuilderZ] left the private key to T5j in the codebase thinking that it was not the dev wallet, which it wasn’t, but this appeared so on the http://pump.fun front end due to the free token creation feature,” the project wrote.

Pump Science has renamed its Pump.fun profile to “dont_trust” and is collaborating with blockchain security firm Blockaid to flag fraudulent mints originating from the compromised address to avoid further exploitation. 

To address security concerns, the platform has vowed to do a complete audit of its front-end system and plans to run bug bounty programs for penetration testing. Further, future token launches will only occur after full app and smart contract audits, and the platform confirmed it will no longer launch tokens on Pump.fun.

Meanwhile, the community has criticized the project’s handling of the breach, with some users labeling it a scam and others questioning its operational competence. See below.

Private key leaks are among the leading causes of security breaches in the decentralized space. Blockchain analytics firm CertiK reported that in Q3 2024, such leaks were the second most costly attack vector, resulting in $324.4 million stolen across 10 incidents.