Pump.Science Urolithin B Token Github Compromised Key: Difference between revisions
(Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/pumpscienceurolithinbtokengithubcompromisedkey.php}} {{Unattributed Sources}} thumb|Pump Science Logo/HomepagePump.science is a crypto-powered research platform that enables people to launch and fund scientific experiments, particularly focused on longevity studies. Users can trade tokens representing life-extending compounds on Pump.fun, and when a token reache...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 2: | Line 2: | ||
{{Unattributed Sources}} | {{Unattributed Sources}} | ||
[[File:Pumpscience.jpg|thumb|Pump Science Logo/Homepage]]Pump.science is a crypto-powered research platform that enables people to launch and fund scientific experiments, particularly focused on longevity studies. Users can trade tokens representing life-extending compounds on Pump.fun, and when a token reaches a market cap of $10K, experiments are conducted to test the compound's effects on lifespan. On November 25, a new Urolithin B (URO) token was initially associated with the official URO and Rifampicin (RIF) tokens. The fraudulent URO token was launched using a wallet key pair leaked from the pump.science platform's GitHub repository. Pump.science has publicly announced the incident but does not appear to have any intention of compensating purchasers.<ref name="foresightnews-17233" /><ref name="pumpdotsciencetwitter-17234" /><ref name="solscan-17235" /><ref name="veridiseinctwitter-17236" /><ref name="chaincatcher-17237" /><ref name="pump-17238" /><ref name="pumpscience-17239" /><ref name="bitget-17240" /><ref name="pumpdotsciencetwitter-17241" /><ref name="solscan-17242" /><ref name="solscan-17243" /><ref name="longit08twitter-17244" /><ref name="cryptorank-17245" /><ref name="shibnews-17246" /><ref name="binance-17247" /><ref name="itc-17248" /><ref name="hokanews-17249" /><ref name="solscan-17250" /><ref name="pumpdotsciencetwitter-17251" /> | [[File:Pumpscience.jpg|thumb|Pump Science Logo/Homepage]]Pump.science is a crypto-powered research platform that enables people to launch and fund scientific experiments, particularly focused on longevity studies. Users can trade tokens representing life-extending compounds on Pump.fun, and when a token reaches a market cap of $10K, experiments are conducted to test the compound's effects on lifespan. On November 25, a new Urolithin B (URO) token was initially associated with the official URO and Rifampicin (RIF) tokens. The fraudulent URO token was launched using a wallet key pair leaked from the pump.science platform's GitHub repository. Pump.science has publicly announced the incident but does not appear to have any intention of compensating purchasers.<ref name="foresightnews-17233" /><ref name="pumpdotsciencetwitter-17234" /><ref name="solscan-17235" /><ref name="veridiseinctwitter-17236" /><ref name="chaincatcher-17237" /><ref name="pump-17238" /><ref name="pumpscience-17239" /><ref name="bitget-17240" /><ref name="pumpdotsciencetwitter-17241" /><ref name="solscan-17242" /><ref name="solscan-17243" /><ref name="longit08twitter-17244" /><ref name="cryptorank-17245" /><ref name="shibnews-17246" /><ref name="binance-17247" /><ref name="itc-17248" /><ref name="hokanews-17249" /><ref name="solscan-17250" /><ref name="pumpdotsciencetwitter-17251" /><ref name="unnamed-17270" /><ref name="unnamed-17271" /><ref name="unnamed-17272" /><ref name="unnamed-17273" /><ref name="unnamed-17358" /><ref name="unnamed-17359" /> | ||
== About Pump Science == | == About Pump Science == | ||
| Line 149: | Line 149: | ||
<ref name="solscan-17250">[https://solscan.io/tx/2A8WRcbrpxGnbvC6uZaGwStnVfho8z8rKH1cz57hcLhZUQgiPveQAVvKfsT5GWTDfq3EJYawdDoHj1MwafW4QVhZ Transaction] (Accessed Jan 17, 2025)</ref> | <ref name="solscan-17250">[https://solscan.io/tx/2A8WRcbrpxGnbvC6uZaGwStnVfho8z8rKH1cz57hcLhZUQgiPveQAVvKfsT5GWTDfq3EJYawdDoHj1MwafW4QVhZ Transaction] (Accessed Jan 17, 2025)</ref> | ||
<ref name="pumpdotsciencetwitter-17251">[https://twitter.com/pumpdotscience/status/1861080069021827114 @pumpdotscience Twitter] (Accessed Jan 17, 2025)</ref></references> | <ref name="pumpdotsciencetwitter-17251">[https://twitter.com/pumpdotscience/status/1861080069021827114 @pumpdotscience Twitter] (Accessed Jan 17, 2025)</ref> | ||
<ref name="unnamed-17270">[https://x.com/pumpdotscience/status/1861498997917331611 x.com] (Accessed Jan 20, 2025)</ref> | |||
<ref name="unnamed-17271">[https://x.com/pumpdotscience/status/1861590619363107096 x.com] (Accessed Jan 20, 2025)</ref> | |||
<ref name="unnamed-17272">[https://x.com/pumpdotscience/status/1861867756955775103 x.com] (Accessed Jan 20, 2025)</ref> | |||
<ref name="unnamed-17273">[https://x.com/pumpdotscience/status/1862172084035580340 x.com] (Accessed Jan 20, 2025)</ref> | |||
<ref name="unnamed-17358">[https://twitter.com/EXVULSEC/status/1863886070040985950 @EXVULSEC Twitter] (Accessed Jan 21, 2025)</ref> | |||
<ref name="unnamed-17359">[https://twitter.com/EXVULSEC/status/1863879589904134231 @EXVULSEC Twitter] (Accessed Jan 21, 2025)</ref></references> | |||
Latest revision as of 15:49, 21 January 2025
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Pump.science is a crypto-powered research platform that enables people to launch and fund scientific experiments, particularly focused on longevity studies. Users can trade tokens representing life-extending compounds on Pump.fun, and when a token reaches a market cap of $10K, experiments are conducted to test the compound's effects on lifespan. On November 25, a new Urolithin B (URO) token was initially associated with the official URO and Rifampicin (RIF) tokens. The fraudulent URO token was launched using a wallet key pair leaked from the pump.science platform's GitHub repository. Pump.science has publicly announced the incident but does not appear to have any intention of compensating purchasers.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]
About Pump Science
Pump.science is a crypto-powered research platform that enables people to launch and fund scientific experiments, particularly focused on longevity studies. Users can trade tokens representing life-extending compounds on Pump.fun, and when a token reaches a market cap of $10K, experiments are conducted to test the compound's effects on lifespan. Notable compounds like Urolithin A, which promotes cellular health by clearing old mitochondria, and Rifampicin, an antibiotic showing promise in aging research, are key players in this innovative approach to combining science, crypto, and community-driven research.
"pump.science is a crypto-powered research protocol enabling anyone to launch and fund research experiments, starting with longevity studies. Pump science was born from the belief that when the barriers to scientific creation fall, more good ideas and breakthroughs can rise. And it shouldn't be just about the science. — it should be fun too."
"Become a citizen scientist in this longevity prediction game. The tokens have real-world rights, and you can have a stake in the life-extending compounds.
STEP 1: USE PUMP.FUN TO TRADE TOKENS IN THE COMPOUNDS IF YOU THINK THEY CAN EXTEND LIFE. STEP 2: WHEN A TOKEN REACHES A MARKET CAP OF $10K, THE DATA STREAM BEGINS STEP 3: EXPERIMENTS ARE PERFORMED AT ORA BIOMEDICAL ON THE WORMBOT (EXPLAINER VIDEO) OR AT TRACKED BIO IN THE FLYBOX STEP 4: DATA IS STREAMED TO PUMP.SCIENCE ON REGULAR TIME INTERVALS STEP 5: USE PUMP.FUN TO TRADE BASED ON YOUR PREDICTIONS OF THE DRUG'S EFFECT ON WORM LIFESPAN"
"Urolithin A is a compound that your body makes when you eat foods rich in ellagitannins, like pomegranates. What makes it special is its ability to give your cells a “spring cleaning.” It helps clear out old, dysfunctional mitochondria—the energy factories of the cell—allowing the fresh, healthy ones to thrive. This process, known as mitophagy, has been shown to extend the lifespan of C. elegans by making their cells more efficient and energetic. In human studies, Urolithin A has shown promise in boosting muscle health and energy, which tend to decline as we age. Think of it as a reset button for your cells, helping to keep them functioning at their best. While we’re still uncovering its full potential, Urolithin A is a fascinating link between diet, gut health, and longevity."
"Rifampicin is traditionally known as an antibiotic, but it’s been gaining attention for its surprising effects on aging. In tiny organisms like C. elegans (a model organism often used in aging research), Rifampicin has been shown to activate the cell’s natural defense mechanisms against stress and damage. Imagine it as a sort of "cellular coach," encouraging cells to stay healthy and resilient by protecting against harmful oxidative stress and maintaining the quality of proteins within the cell. These protective effects help the worms live longer and healthier lives. While it’s still early days, and we don’t yet know if Rifampicin can do the same in humans, its ability to promote cellular health makes it an exciting area of research in the quest for anti-aging therapies."
"Anyone, without permission, should be able to submit compounds for testing at no cost. Removing the cost component and gate-keepers from limiting potentially valuable products from reaching the market will increase the number of ideas submitted. The more submitted ideas, the more likely an idea will result in a valuable healthspan-extending product."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
On November 25, a new Urolithin B (URO) token was initially associated with the official URO and Rifampicin (RIF) tokens. The fraudulent URO token was launched after a wallet key pair was leaked from the pump.science platform's GitHub repository.
| Date | Event | Description |
|---|---|---|
| November 25th, 2024 5:11:09 AM MST | Urolithin B Launched | The Urolithin B token is launched on Solana using the compromised key. |
| November 25th, 2024 9:29:00 AM MST | Pump Science Post Made | Pump Science tweets warning that the wallet behind the launch of the URO and RIF tokens has been compromised and warns that other tokens launched from the same wallet should be considered to be scams. |
| November 25th, 2024 6:44:00 PM MST | Firesight News Article | Foresight News publishes an article containing details of the exploit |
| December 4th, 2024 1:01:00 AM MST | VeridiseInc News Posted | VeridiseInc posts on Twitter to notify about the Pump Science hack, among other events. |
Technical Details
"On the evening of November 25, an address marked as the creator of RIF and URO on pump.fun issued the Urolithin B (URO) token, leading many community members to mistakenly believe that this was an officially issued token by pump.science."
"According to pump.science officials, due to a lapse in their GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was attacked, and the attacker found the key pair in the website's source code. This key pair was initially used for testing purposes in pump.science's GitHub, and the development team did not realize its importance.
From the scam URO token page that appeared on pump.fun last night, it can be seen that the wallet address deploying this fake token is indeed T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. The pump.fun platform shows that this address had previously deployed the official tokens Urolithin A (URO) and Rifampicin (RIF), which currently have market caps of approximately $87 million and $37 million, respectively.
The scam URO token was issued on-chain by the address starting with the leaked key pair T5j2UBT. This is why it shows on pump.fun that the deployer of the official URO and RIF tokens released the new coin.
pump.science stated that this wallet was marked on pump.fun as the off-chain token creator for URO and RIF, and the attacker may use this wallet to issue more tokens; any other tokens issued by this wallet, besides URO and RIF, should be considered scams.
It is worth noting that pump.science officials have not taken any remedial or compensatory measures for users who were misled and purchased the scam URO token, which has sparked widespread concern and discussion in the community."
Total Amount Lost
There are losses from users who bought the fraudulent tokens which have not been officially tallied.
There are also unconfirmed reports of some tokens in the T5j2UB... which were sold by the attacker.
The total amount lost is unknown.
Immediate Reactions
"Urolithin B (URO) quickly "graduated," and within two minutes of joining the liquidity pool, its market capitalization soared to $10 million, but then began to decline continuously, and its market cap has now fallen back to about $100,000."
After compromising the account and launching Urolithin B, the attackers launched new tokens including Urolithin C through F before finally launching Cocaine as a token. The official Pump Dot Science account denied that the T5j2UB... account was theirs, and claimed that Pump Dot Fun had attributed the wrong account to them.
"The DeSci project Pump Science [later] tweeted that the wallet T5j2UB...jjb8sc was exploited due to an oversight in their GitHub repository. The exploiter gained access to the keypair, which had been embedded in the source code of their website."
"Foresight News, DeSci project Pump Science tweeted that because of its negligence in the GitHub library, its T5j2UB initial wallet was attacked, and the attacker found a private key in the source code of the website; the private key was initially used in GitHub For testing purposes, the development team considers it unimportant; however, The wallet is actually marked as the founder of the sub-chain tokens of URO and RIF on pump.fun. The attacker may use the wallet to issue more tokens. All other tokens except URO and RIF should be considered fraud."
Ultimate Outcome
"This incident also seems to have affected the market performance of Urolithin A (URO) and Rifampicin (RIF), both of which dropped over 30% within 24 hours."
"This account is in blacklist due to participation in an exploit/hacking/fraud attempt. Please be careful when interacting with it."
Total Amount Recovered
The Pump Dot Science team does not appear to have discussed compensation in any form to affected users.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://foresightnews.pro/news/detail/59033 (Accessed Jan 17, 2025)
- ↑ @pumpdotscience Twitter (Accessed Jan 17, 2025)
- ↑ Account T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc | Solscan (Accessed Jan 17, 2025)
- ↑ @VeridiseInc Twitter (Accessed Jan 17, 2025)
- ↑ pump.science Wallet Private Key Leak: An Unfinished Storm - ChainCatcher (Accessed Jan 17, 2025)
- ↑ Pump Science (Accessed Jan 17, 2025)
- ↑ welcome to pump.science | pump.science docs (Accessed Jan 17, 2025)
- ↑ https://www.bitget.com/news/detail/12560604374042 (Accessed Jan 17, 2025)
- ↑ @pumpdotscience Twitter (Accessed Jan 17, 2025)
- ↑ Transaction (Accessed Jan 17, 2025)
- ↑ Account T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc | Solscan (Accessed Jan 17, 2025)
- ↑ @longit08 Twitter (Accessed Jan 17, 2025)
- ↑ DeSci Project Pump Science Hacked After Private Key Leak (Accessed Jan 17, 2025)
- ↑ Pump Science Exploited: Fraudulent Tokens Minted – The Shib Daily (Accessed Jan 17, 2025)
- ↑ https://www.binance.com/en-AE/square/post/16839261617161 (Accessed Jan 17, 2025)
- ↑ Scientific blockchain platform Pump Science «lost» key, which immediately fell into the hands of hackers (Accessed Jan 17, 2025)
- ↑ Pump.Science Wallet Private Key Leak Leads to Fraudulent Tokens - HOKANEWS.COM (Accessed Jan 17, 2025)
- ↑ Transaction (Accessed Jan 17, 2025)
- ↑ @pumpdotscience Twitter (Accessed Jan 17, 2025)
- ↑ x.com (Accessed Jan 20, 2025)
- ↑ x.com (Accessed Jan 20, 2025)
- ↑ x.com (Accessed Jan 20, 2025)
- ↑ x.com (Accessed Jan 20, 2025)
- ↑ @EXVULSEC Twitter (Accessed Jan 21, 2025)
- ↑ @EXVULSEC Twitter (Accessed Jan 21, 2025)