A private wallet key was inadvertently exposed within the Pump Science codebase, allowing attackers to exploit it for bogus token creation.
Pump Science, a decentralized science (DeSci) launch platform on Solana, has disclosed a severe security breach involving one of its wallet addresses.
The wallet’s private key, identified as T5j2UB…jjb8sc, was inadvertently exposed by a developer who embedded it in the platform’s codebase.
The error allowed attackers to hijack the wallet, leading to the unauthorized creation of tokens linked to Pump Science’s profile on the Pump.fun platform.
Fraudulent Token Creation
In a November 26 post on X detailing the incident, the Pump Science team clarified that while the compromised wallet was never intended for token deployment, the attackers used it to launch fraudulent Urolithin A (URO) and Rifampicin (RIF) tokens, which they later sold to unsuspecting users.
Additionally, the attacker exploited the wallet to manipulate token perception. They locked URO-B tokens in the wallet, making it appear as if Pump Science developers still held the assets. Following the ploy, they sold off the tokens, leaving investors at a loss.
The team has since declared all tokens created via the affected wallet scams. They have also warned the Solana community against engaging with the assets, confirming that the project’s Pump.fun profile should not be trusted for new token launches until further notice.
“Again, none of these tokens were launched by our team. These tokens are fraudulent. Do not trust the PScience Pump.fun profile.”
Interestingly, a blockchain analysis revealed that while the bogus tokens appeared tied to the T5j wallet, the actual developer wallet responsible for creating legit tokens like URO and RIF was BLDRZQ…36KtuZ. The Pump Science team attributed the discrepancy to indexing errors on Pump.fun, which incorrectly linked token activities to the breached wallet.
Steps Toward Recovery
The Pump Science team has said that it is collaborating with security experts and Pump.fun to address the incident. Additionally, it has pledged to thoroughly audit its platform and related smart contracts to prevent such occurrences in the future.
Further steps include halting new token launches until the audit is complete, with only those explicitly announced on the project’s official social media channels deemed legitimate. The team also encouraged users to verify token origins using blockchain tools and promised updates on their progress to secure the platform.
At the time of writing the RIF token had recorded a 22.4% drop in its price in the last 24 hours. Across seven days, the dip was an even more pronounced 47.7%, putting it nearly 72% below its all-time high price of $0.2478, achieved on November 18.
URO’s fate was more severe, plunging nearly 26% in 24 hours. Its current price of $0.029 is 51% lower than a week ago and nearly 80% lower than its ATH achieved on the same day as RIF.