Decentralized science platform Pump Science has recently fallen victim to a security breach after its private key was leaked on GitHub, leading to the creation of fraudulent tokens on its Pump.fun account. The attack, which occurred on Nov. 27, allowed the perpetrator to generate tokens such as Urolithin B through to E (URO) and Cocaine (COKE) under Pump Science’s compromised profile.
Pump Science’s platform is dedicated to creating tokens related to longevity medicine research, offering a gamified approach to longevity research and connecting token holders with intellectual property rights for chemical compounds. The project allows token holders to sell “intervention” rights to suppliers, merging research and commerce. Currently, the project has only launched two tokens, Rifampicin (RIF) and Urolithin A (URO), both of which experienced a significant drop in price following the exploit.
The leak of the private keys was attributed to an oversight by BuilderZ, a Solana-based software development firm behind Pump Science, who inadvertently published the keys in the project’s GitHub codebase. The keys were mistakenly identified as belonging to a test wallet and were considered non-important, leading to their exposure. Pump Science has since renamed its Pump.fun profile to “dont_trust” and is working with blockchain security firm Blockaid to prevent further fraudulent activity.
In response to the breach, Pump Science has pledged to conduct a complete audit of its front-end system, implement bug bounty programs for penetration testing, and only launch future tokens after thorough app and smart contract audits. The platform has also announced that it will no longer launch tokens on Pump.fun to mitigate security risks.
The incident has sparked criticism from the community, with some users questioning the project’s competence and labeling it as a scam. Private key leaks are a common cause of security breaches in the decentralized space, with blockchain analytics firm CertiK reporting that such incidents resulted in $324.4 million stolen across 10 incidents in Q3 2024.
As Pump Science works to address the aftermath of the breach and enhance its security measures, the incident serves as a reminder of the importance of safeguarding private keys and conducting regular security audits in the decentralized ecosystem.