The Pump Science team has released a report addressing a recent incident involving unauthorized token creation linked to the Pump.fun developer profile.

Update on recent events:
> our api key permissions got cooked
> hackers accessed the UI, posted fake experiments
> real devs caught the issue and implemented a fix
> currently running final tests before coming back online

only real tokens are $RIF / $URO
all new tokens announced…
— Pump Science (@pumpdotscience) November 16, 2024

On November 25, the wallet T5j…b8sc, associated with the Pump.fun profile on the platform, was compromised. The attacker used the team’s credentials to issue an unauthorized token.

Developers clarified that only URO and RIF are legitimate tokens. Since the wallet T5j remains compromised, all other tokens issued from it have been declared unauthorized and fraudulent.

The incident stemmed from negligence by Solana-based developers at BUILDERZ, who left the wallet’s private key exposed in the code. The exploiter leveraged this oversight to gain access to the wallet.

Pump Science announced it had ceased using the compromised wallet and pledged to conduct comprehensive audits of Solana’s interface and programs. Additionally, the team plans to launch a bug bounty program to test and strengthen the app’s security measures.

Update on recent events:
> our api key permissions got cooked
> hackers accessed the UI, posted fake experiments
> real devs caught the issue and implemented a fix
> currently running final tests before coming back online

only real tokens are $RIF / $URO
all new tokens announced…
— Pump Science (@pumpdotscience) November 16, 2024

On November 17, Pump Science reported a similar issue, where hackers exploited an API vulnerability to publish fake experiments on the platform. The problem was swiftly resolved.

Reminder: On November 26, Pump.fun disabled its streaming feature due to moderation challenges.