- Attackers exploited an exposed private key from a hacked wallet to create unauthorized tokens.
- Offchain token creation added complexity, making it harder to distinguish legitimate from fraudulent tokens.
- Pump Science partnered with Blockaid to flag unauthorized tokens and enhance transaction security.
Pump Science, a decentralized science (DeSci) platform on Solana, announced a security breach caused by a hacked wallet. The platform explained that the private key of their wallet, which produces URO and RIF tokens, was exposed due to developer oversight.
Attackers exploited this breach to create unauthorized tokens, misleading users and causing concern.
How the Attack Happened
The breach stemmed from a developer error that exposed the private key for the wallet, identified as T5j2U…jb8sc, in the platform’s codebase.
While this wallet was not originally intended as a developer wallet, its key was accessible through the Pump Science front-end, allowing attackers to exploit it.
Pump Science has identified all tokens generated from this wallet as fake, stressing that their team did not create any of these. They have also warned users not to trust the information on the compromised Pump Science profile page, which attackers have used to perpetuate the fraud.
The company explained that errors in token creation records contributed to the problem. Invalid tokens like $UFO and $RIF were created off-chain through the platform’s free token creation feature.
Because of this process, the initial buyers, not the company, appeared as the on-chain deployers of these tokens. This made it harder to distinguish between legitimate and fraudulent token issuances on platforms like Solscan and pump.fun.
Pump Science is working with security firm Blockaid to flag any new tokens generated from the compromised wallet. They are also updating scanning APIs to mark transactions involving these tokens with warnings.
Pump Science reiterated its commitment to user security and advised users to avoid interacting with any tokens linked to the breached wallet. The attacker still has the private key, so unauthorized token creation could continue.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
