proxied.tech
RSS Twitter

The problem with dev.fun and store.fun.

2025-11-02 • #security, #solana

Understanding the store.fun security issues and why dev.fun should die

DISCLAIMER

All security issues mentioned in this blog post were responsibly disclosed to project owners, (Told it was being fixed, and never was)

Understanding Dev.fun

Dev.fun is an IPO platform built on solana by the founders of pump.fun Promoting shipping vibecoded platforms into production and launching a memecoin associated with it to raise funds.

Understanding the Store.fun platform

Store.fun is a merchant platform focusing mainly on solana integrations for shipping plushies, stickers and meme related merch While they do seem to have a stripe integration the majority of the platform is operated for solana.

Where the fun begins

After visiting Dev.fun you are greeted with a list of featured projects, store.fun being the first one. Highest market cap, highest volume, and officially partnered with Dev.fun / Pump.fun

As soon as i saw sakysysfksculqobozxi.supabase.co i knew it was over, as is the case with almost every supabase setup there was numerous issues. After dumping the OpenAPI Spec and combing through it, i started testing.

The most disgusting logging ive ever seen

The first route i tested was /request_headers_log, seemed interesting, and by the grace of god ive never seen something so cursed cross my eyes. idekman

A log of every request sent to the platform, including auth tokens... As much as i did not have high hopes for this platforms security, even this is wild.

Digging Deeper On Orders

After recovering from the mental shock of /request_headers_log i moved onto /admin_orders_view and... wtfman

Transactions are available! but no order details, time to try /admin_orders_view! manewtf

We now have the ability to pull all shipping info associated with any order id/number, and or by wallet address...

Crypto Culture

Unfortunately its quite common for crypto projects like Store.fun to be horribly insecure, simply because they dont care. They mostly care about deploying ASAP to gain volume on their memecoins, and fixing problems later.

Why Dev.fun should die

Promoting shitty vibecoded projects to the masses is a horrible idea which will almost always lead to data being leaked Fortunately the platform only has around 300 members but data leakage is data leakage.