DeSci project Pump Science exploited following private key leak

Decentralized science platform Pump Science warned its users about fake tokens distributed through the Pump.fun account after its private key was leaked to GitHub.

According to the announcement made on November 27, the attacker managed to obtain private keys linked to his account on Pump.fun through a GitHub leak, thus allowing the creation of fake tokens such as Urolithin B to E (URO) and Cocaine (COKE). Pump Science’s compromised profile.

Pump Science’s platform focuses on creating tokens tied to long-lasting drug research. The project describes itself as a gamified longevity research initiative and aims to connect token holders with the intellectual property rights of chemical compounds. It allows token holders to sell “interference” rights to suppliers, integrating research and trading.

Rifampicin (RIF) and Urolithin A (URO) are the two tokens launched by the project. Rifampin, an antibiotic, is used to treat tuberculosis, while Urolithin A is being investigated for its potential to improve mitochondrial function and muscle health. Following the exploit, the prices of both RIF and URO dropped by over 25%.

Pump Science advised users to “avoid purchasing or interacting with any new tokens originating from the pscience PumpFun profile,” warning that the attacker still had access to the compromised wallet.

According to the post-attack report, the leak occurred because private keys linked to the profile were accidentally published in the project’s GitHub codebase.

Pump Science said the leak was caused by an oversight by BuilderZ, the Solana-based software development company behind the development of the project, in leaving the private key for the developer wallet “T5j2U…jb8sc” in the GitHub codebase. The company had mistakenly detected that the keys belonged to a test wallet and therefore deemed it “unimportant”.

“[BuilderZ] “He left the private key in the codebase to T5j, thinking it wasn’t the developer wallet, which it wasn’t, but that’s how it appeared in the http://pump.fun front end because of the free token generation feature,” he wrote.

Pump Science has renamed the Pump.fun profile to “dont_trust” and is collaborating with blockchain security company Blockaid to flag counterfeit mints originating from the compromised address to prevent further exploitation.

To address security concerns, the platform has promised to conduct a full audit of its front-end system and plans to run bug bounty programs for penetration testing. Additionally, future token launches will only occur after full application and smart contract audits, and the platform has confirmed that it will no longer launch tokens on Pump.fun.

Meanwhile, the community criticized the project’s handling of the breach; Some users called it a scam and others questioned its operational proficiency. See below.

“left the private key in the codebase” FML. The project deserves to go to zero.

— scudza (🌿,👻) (@Jarred_Za) 26 November 2024

Private key leaks are among the leading causes of security breaches in the decentralized space. Blockchain analysis firm CertiK reported that such leaks were the second most costly attack vector in the third quarter of 2024, resulting in the theft of $324.4 million in 10 incidents.