The Pump Science team has released a report on a recent incident involving the issuance of unauthorized tokens by the Pump.fun developers’ profile.
Full report on yesterday’s incident:
TLDR:
Do not trust any new tokens launched from the pscience https://t.co/SahErfa0Rx profile or by the wallet address: T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8scthe wallet (T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc) behind our…
— Pump Science (@pumpdotscience) November 26, 2024
On November 25, the wallet T5j…b8sc, linked to the Pump.fun profile on the platform, was compromised. The hacker launched an unauthorized token on behalf of the team.
The developers emphasized that only URO and RIF are legitimate. The wallet T5j remains compromised, thus all other tokens issued by it are declared unauthorized and fraudulent.
The incident was caused by the carelessness of Solana developers BUILDERZ, who left the wallet’s private key in the code. The exploiter used this information to gain access to the wallet.
The team has ceased using the compromised wallet and promised to conduct a series of audits on the Solana interface and programs. A bounty program will also be announced to test the application’s security measures.
Update on recent events:
> our api key permissions got cooked
> hackers accessed the UI, posted fake experiments
> real devs caught the issue and implemented a fix
> currently running final tests before coming back onlineonly real tokens are $RIF / $URO
all new tokens announced…— Pump Science (@pumpdotscience) November 16, 2024
On November 17, Pump Science reported a similar incident. Hackers exploited a vulnerability in the API and posted fake experiments on the platform. The issue was soon resolved.
On November 26, Pump.fun disabled the streaming function due to moderation issues.