Pump Science, a decentralized science platform, has apologized to its users after its private key was inadvertently exposed on GitHub. The leaked private key, T5j2UB…jjb8sc, allowed a ‘known attacker’ to hijack the wallet and create fraudulent tokens tied to its Pump.fun profile.
In a series of X posts from November 25 to November 27, Pump Science disclosed the security breach on one of its wallet addresses and asked its users not to trust any tokens released on its Pump.fun profile. The platform even changed its Pump.fun profile name to “dont_trust” to warn users not to buy any newly launched tokens.
Pump Science revealed the security attack on one of its wallet addresses
The company clarified that the private key, T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc, linked to their Pump.fun profile, was compromised, allowing ‘the known attacker’ to launch fraudulent Urolithin (URO) and Rifampicin (RIF) tokens.
Pump Science’s Benji Leibowitz, on November 27, in an X AMA session, said, “We do not want to diminish how much of a screw-up this was; we totally acknowledge that this is a huge issue and misstep on our part,” apologizing to the platform’s users.
Benji further guaranteed that such incidents would never occur again and stated that the platform would no longer release tokens on Pump.fun.
Moreover, the DeSci platform has maintained that security will be its top priority. It plans to incorporate consultative and competitive audits on its application and smart contracts. Once all necessary audits are done, any new tokens will be launched next year.
It is even working with blockchain security firm Blockaid to track any new mints from the compromised address.
Pump Science has its suspicions on who the attacker could be
Pump Science pointed to BuilderZ, a Solana-based software company, as partly at fault for the incident. They blamed the firm for leaving the private key for the developer wallet “T5j2U…jb8sc” exposed in their GitHub repository and mistakenly believing it belonged to a test wallet.
However, they explained that, after analyzing the techniques used to launch tokens on Solana’s chain, they did not think BuilderZ was the attacker.
Pump Science instead believes that the hacker could be the same person or group of people who hacked a wallet owned by James Pacheco, a founder of Solana-based commodity tokenization platform “elmnts.”