DeSci Project Pump Science Hacked After Private Key Leak
The decentralized science (DeSci) platform, Pump Science, which focuses on gamified longevity research, experienced a significant security breach when its private key was mistakenly exposed in its GitHub codebase.
This critical oversight enabled attackers to take control of the official Pump.fun crypto wallet, hijack its profile, and create fraudulent tokens in the platform’s name.
Initially, Pump Science used its Pump.fun profile to launch two legitimate tokens, Urolithin A ($URO) and Rifampicin ($RIF), which were connected to its longevity research initiatives.
However, after the private key for the wallet address “T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc” was exposed, an attacker exploited the vulnerability to create unauthorized tokens, including Urolithin B through E and Cocaine ($COKE).
These fraudulent tokens deceived users into believing they were genuine offerings. Consequently, the prices of the legitimate tokens dropped by more than 25%, indicating a significant decline in community trust and confidence.
Pump Science Private Key Leak: Negligence or Mistake?
According to the team’s report, the breach occurred due to an oversight by BuilderZ, the Solana-based development team behind Pump Science. The developers inadvertently left the wallet’s private key in the GitHub repository, mistaking it for a test wallet.
This mistake made the key publicly accessible, and attackers took advantage of the error to take control of the wallet and its associated Pump.fun profile. Although the wallet was not originally intended to be the developer’s primary wallet, Pump.fun’s free token creation feature incorrectly linked it to the platform’s official profile, making the fraudulent tokens appear genuine.
The attacker used their access to the wallet to create fake tokens that seemed to originate from Pump Science.
In response, Pump Science issued warnings advising users to refrain from interacting with any new tokens created under its Pump.fun profile or associated wallet address. To prevent further exploitation, the platform changed its Pump.fun profile to “@dont_trust.”
It also partnered with blockchain security firm Blockaid to identify unauthorized token creations and transactions originating from the compromised address.
Despite these measures, the attacker still controls the wallet and continues to create fraudulent tokens.
Pump Science has faced severe criticism from its community, with users accusing the project of negligence and expressing frustration at the lack of adequate preventive measures. Some have even labeled the project as a scam, citing the security oversight as evidence of deeper incompetence.
Rebuilding Trust and Addressing Vulnerabilities
Following the hack, Pump Science has committed to conducting a comprehensive review of its security protocols. The platform plans to audit its front-end systems and Solana programs to identify and fix vulnerabilities.
It has also pledged to conduct competitive audits and launch bug bounty programs to ensure the strength of its infrastructure.
Furthermore, Pump Science announced that it will not introduce any new tokens until its systems have been fully secured and independently verified through extensive audits.
The incident is part of a broader challenge facing the decentralized finance (DeFi) ecosystem, particularly the crucial need for robust private key management.
According to a recent report by blockchain analytics firm CertiK, private key leaks resulted in losses of over $324 million across ten incidents during Q3 2024.
Earlier this month, Metawin, a crypto casino platform, also experienced a $4 million hack on November 3, with funds stolen from its Ethereum and Solana hot wallets due to a private key leak. The stolen funds have been traced to KuCoin and a HitBTC nested service, while the identity and motive of the attacker remain unknown.