Following a serious security breach, Pump Science, a decentralized science platform, has issued an apology to its users. This incident involved the unauthorized exposure of a private key on GitHub, which allowed an attacker to create counterfeit tokens through the platform’s Pump.fun profile.
Incident Overview
During a recent ask-me-anything session on X, Benji Leibowitz, a spokesperson for Pump Science, openly acknowledged the gravity of the error, labeling it a major misstep. He reassured users that the team is implementing measures to prevent similar issues in the future and stated that they will stop issuing tokens via Pump.fun.
On November 25 and 26, the platform alerted its user community via posts on X about the misuse of the leaked private keys. The hacker exploited these keys to generate fraudulent tokens, including those for Urolithin B through Urolithin E ($URO) and Cocaine ($COKE). Pump Science strongly advised users to steer clear of any new tokens appearing under the compromised profile, underscoring that these tokens were unauthorized and the wallet had been compromised.
Response Measures
To address this situation, the Pump.fun profile has been rebranded as “dont_trust,” a move designed to dissuade users from purchasing fake tokens. Additionally, Pump Science has enlisted the help of a blockchain security expert, Blockaid, to keep an eye on any token launches stemming from the breached address.
The organization partially attributed the mishap to BuilderZ, a software company within the Solana ecosystem, which they said carelessly stored the private key for its developer wallet in a GitHub repository, mistakenly believing it belonged to a test wallet. However, Pump Science clarified that there was no way BuilderZ could have been involved in the attack due to significant differences in how tokens are deployed on Solana’s blockchain.
Future Security Initiatives
Investigations have pointed to a potential connection between the hacker and an individual or group that recently targeted the wallet of James Pacheco, a founder of the Solana-based commodity tokenization project, elmnts.
In light of this breach, Pump Science is now taking steps toward a comprehensive audit of its platform. Moving forward, they will also introduce a bug bounty program, encouraging ethical hackers to test their protocol for vulnerabilities. Furthermore, the team is looking into improved key management practices to bolster security.
Looking ahead, Pump Science plans to ensure that all future token launches will only occur after a complete audit of their applications and smart contracts. They aim to finalize these security measures by the holiday season.
Pump Science is known for its marketplace focused on tokens related to longevity medicine. At present, they offer two tokens: Rifampicin (RIF) and Urolithin A (URO), boasting market capitalizations of $85.6 million and $37.2 million, respectively, according to CoinGecko. Rifampicin is primarily used in tuberculosis treatment, while Urolithin A is a dietary supplement recognized for its ability to enhance mitochondrial function, potentially providing antioxidant and anti-inflammatory benefits.
Source: Cointelegraph
