Pump.science Wallet Private Key Leak: An Unfinished Storm

By Karen, Foresight News

On the evening of November 25, the Addressissuance Urolithin B (URO) Token, which was marked on the pump.fun as the creator of RIF and URO, made many community members mistakenly believe that it was the official issuance token of pump.science. Urolithin B (URO) quickly "graduated" and within two minutes of being added to the liquidity pool, its Market Cap soared to $10 million, but then began to continue to decline, and the Market Cap has now fallen back to about $100,000.

This incident also seems to have affected the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which have dropped by more than 30% within 24 hours. So, what exactly is going on?

pump.science wallet private key pair leaked

The incident was caused by the leakage of pump.science's wallet private key.

According to the official disclosure from pump.science, due to an oversight in its GitHub repository, the WalletAddress T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, and the attacker found the Secret Key pair in the website's Source Code. The Secret Key pair was originally used for testing purposes in pump.science's GitHub from the beginning, and the development team did not realize its importance.

From the scam URO Token page that appeared on pump.fun last night, it can be seen that the Wallet Address that deployed this fake Token is T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. According to pump.fun platform, this Address has off-chain deployed the official Tokens Urolithin A (URO) and Rifampicin (RIF), with current Market Caps of approximately 87 million USD and 37 million USD respectively.

And this time the scam URO Token is on-chain issuance from the leaked Secret Key paired with the T5j2UBT starting Address. That's why it shows on pump.fun that the official deployer of URO and RIF Token has released a new coin.

pump.science stated that the Wallet, which is marked as the creator of off-chain Tokens URO and RIF on pump.fun, may issue more Tokens. Any other Tokens issued by this Wallet should be considered fraudulent, in addition to URO and RIF.

It is worth noting that the official pump.science has not taken any remedial or compensatory measures for those who mistakenly believe and dumb buying the fraudulent URO Token, which has caused widespread follow and discussion in the community.

pump.fun off-chain create function leads to confusion in displaying blockchain browsers and data tools

What also caused confusion in the community is the display of Token creator in pump.fun, blockchain explorer, and data tools.

pump.science official URO and RIF Token are created off-chain through pump.fun, while the fraudulent URO is created on-chain through pump.fun. However, the blockchain explorer solscan shows that the deployer Address of Urolithin A (URO) and Rifampicin (RIF) is: BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.

Next, let's first understand the off-chain launch coin function of pump.fun. On the pump.fun platform, off-chain launch coin is free, and it will not be recorded on-chain immediately after token issuance until the first buyer appears. The first buyer needs to pay the token issuance cost. Therefore, for tokens created off-chain, the first buyer is often mistaken by blockchain explorers such as solscan or GMGN as the deployer of the token.

For example, after the official URO and RIF Token are created off-chain, the WalletAddress BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ of the first buyer is mistakenly marked as the deployer of the Token by solscan or GMGN.

Here, the author reminds investors to distinguish and verify the tokens created on-chain and off-chain at pump.fun to prevent falling into scams. In addition, be vigilant of any potential tokens starting with T5j2UBTvLY leaked by pump.science Walletissuance. At the same time, we also hope that the platform and token issuers can enhance security measures to prevent such fraudulent activities from happening again.