DeSci Project Pump Science Exploited After Private Key Leak on GitHub

DeSci Project Pump Science Exploited After Private Key Leak on GitHub

Decentralized science platform Pump Science has fallen victim to a significant security breach following the leak of its private keys on GitHub, leading to the deployment of fraudulent tokens under its compromised profile.


On November 27, 2024, Pump Science alerted users about the creation and distribution of fake tokens, including Urolithin B through E (URO) and Cocaine (COKE), under its Pump.fun account. The attackers gained access to the private keys tied to the Pump Science profile, which were mistakenly published on the platform's GitHub repository. This allowed the malicious actors to mint fraudulent tokens using the project's name.


How the Exploit Happened

The breach occurred when the development team, BuilderZ, a Solana-based software firm working with Pump Science, accidentally left the private key of the project’s developer wallet in the GitHub codebase. BuilderZ had mistakenly assumed the private key was associated with a test wallet and, therefore, not important. This oversight led to the key being exposed and used to exploit the platform.


Pump Science, known for its focus on longevity medicine research, has worked to create tokens linked to various chemical compounds in the field. While Rifampicin (RIF) and Urolithin A (URO) are the project’s only legitimate tokens, their prices saw a sharp drop of over 25% following the exploit.


Immediate Actions Taken by Pump Science

Following the attack, Pump Science warned users to avoid interacting with any new tokens issued under its compromised profile. The team renamed the Pump.fun profile to "dont_trust" and is working closely with blockchain security firm Blockaid to identify and flag any fraudulent mints originating from the exposed wallet.


To address the breach, Pump Science announced a series of security improvements. These include a full audit of its front-end system, the implementation of bug bounty programs to identify vulnerabilities, and a commitment to perform comprehensive app and smart contract audits before launching any future tokens. Additionally, the platform confirmed it will no longer issue tokens via Pump.fun.


Backlash from the Community

The exploit has drawn heavy criticism from the community, with many users questioning the project’s integrity and operational competence. Some have labeled the incident as a scam, while others have voiced concerns over the platform’s ability to manage security in a decentralized environment.

One community member, scudza, expressed frustration, tweeting: "left the private key in the codebase" FML. Project deserves to go to zero."


Impact of Private Key Leaks

Private key leaks are a growing concern in the decentralized space, and this incident highlights the vulnerabilities that can occur due to simple human errors. According to CertiK, a leading blockchain security firm, private key leaks were responsible for some of the most significant security breaches in the space. In Q3 2024, leaks were the second most costly attack vector, resulting in over $324 million stolen across 10 incidents.


Pump Science is now working to restore trust with its users while addressing the flaws exposed by this attack. However, this incident serves as a stark reminder of the risks associated with private key management in blockchain-based projects.

Disclaimer: The content on this website is for informational purposes only and does not constitute financial or investment advice. We do not endorse any project or product. Readers should conduct their own research and assume full responsibility for their decisions. We are not liable for any loss or damage arising from reliance on the information provided. Crypto investments carry risks.