DeSci project Pump Science exploited following private key leak
Decentralized science platform Pump Science has warned users of tokens deployed via its Pump.fun account after its offchain wallet private key was leaked on the project GitHub.
According to a Nov. 27 announcement, the attacker managed to acquire the private keys to the Pump Science offchain wallet linked to its profile on Pump.fun through a GitHub leak, enabling the creation of fraudulent tokens such as Urolithin B through to E (URO) and Cocaine (COKE) under the Pump Science official profile.
Pump Science’s platform focuses on creating tokens tied to longevity medicine research. The project describes itself as a gamified longevity research initiative and aims to connect token holders with intellectual property rights for chemical compounds. It allows token holders to sell “intervention” rights to suppliers, integrating research and commerce.
Rifampicin (RIF) and Urolithin A (URO) are the only two tokens the project has launched. Rifampin, an antibiotic, is used to treat tuberculosis, while Urolithin A is studied for its potential to enhance mitochondrial function and muscle health. Prices of both RIF and URO tanked over 25% following the exploit.
Pump Science has advised users to avoid buying or interacting with any new tokens originating from the “pscience PumpFun profile,” warning that the attacker still has access to the compromised wallet.
Based on the post-attack report, the leak occurred due to private keys tied to the profile being inadvertently published in the project’s GitHub codebase.
Pump Science said the leak stemmed from an oversight on the part of BuilderZ, a Solana-based software development behind the development of the project, for leaving the private key for the offchain wallet “T5j2U…jb8sc” in its GitHub codebase.
“[BuilderZ] left the private key to T5j in the codebase thinking that it was not the dev wallet, which it wasn’t, but this appeared so on the http://pump.fun front end due to the free token creation feature,” the project wrote.
Pump Science has renamed its Pump.fun profile to “dont_trust” and is collaborating with blockchain security firm Blockaid to flag fraudulent mints originating from the compromised address to avoid further exploitation.
To address security concerns, the platform has vowed to do multiple consultative audits, an open competitive audit with Code4rena, and penetration testing. They will also launch a bug bounty program to continue to battle test its platform and confirmed it will no longer launch tokens on Pump.fun.
Meanwhile, the community has criticized the project’s handling of the breach, with some users labeling it a scam and others questioning its operational competence. See below.
Private key leaks are among the leading causes of security breaches in the decentralized space. Blockchain analytics firm CertiK reported that in Q3 2024, such leaks were the second most costly attack vector, resulting in $324.4 million stolen across 10 incidents.