3.71M $JUP Tokens Linked to 4806 Emails in Jupiter Claim Site “Quirks”

Jupuary 2025 was one of Solana’s most eagerly anticipated liquidity events, distributing 700M $JUP tokens among 2M qualified wallets.

However, the Jupuary airdrop claim process was wildly controversial. Aiming to improve communications and security, Jupiter demanded that claimants create a ‘Jupiverse’ profile using an email address.

User concerns and complaints have since been validated, with a security “quirk” resulting in over 4,800 personal emails being linked to onchain wallets.

What steps have been taken to remedy this error, and what can affected users do to reclaim their privacy?

Jupuary Security “Quirk” Reveals Claimant Email Addresses

On January 25, Jupuary claims finally opened in earnest, the DeFi superapp bestowing Solana users with millions of $JUP tokens. Despite many Solana community members expressing concerns and frustration with having to provide an email address to claim their $JUP, Jupuary was largely a joyous occasion.

10 days later, these security concerns were confirmed. In an announcement, Jupiter Comms Lead Kash Dhanda revealed that a “quirk” in transaction handling for Ledger X SolFlare users resulted in 0.5% of Jupiverse email addresses being broadcast onchain alongside transaction signing.

The issue stemmed from Solflare’s optimized transaction pipelining, which are designed to improve transaction landing rates for Solflare users. 

While some wallet providers only required accounts to sign a message confirming the link between wallets and email address, Ledger only supports transaction signing. 

Jupiter designed a special flow for claimants using a Ledger hardware wallet that bypassed this constraint, but Solflare’s optimized pipelining automatically sends these transactions to the blockchain to boost transaction landing rates.

Dhanda admits that a handful of Jupiter developers were aware of this issue. However, the developer responsible for the Jupiverse profile system was not informed.

According to Flipside data, the security “quirk” exposed 4,806 email addresses, linking them to 6,371 wallets. The revealed wallets were collectively eligibible to claim 3.71M $JUP tokens, currently valued at over $3.1M.

Leak Reignites Jupuary Claim Criticism

The reveal of over 4,800 email addresses has provided plenty of ammunition for disgruntled Jupuary critics. 

Despite Jupiter’s previous commitment to implementing user feedback during various governance proposals, users were frustrated the the DeFi powerhouse chose to ignore the community’s concerns.

Concerns were further exacerbated following a recent hack, in which a malicious actor gained access to the Jupiter 𝕏 account.

In the face of criticism, Dhanda has acknowledged that Jupiter’s approach to designing Jupiverse profiles “was not ideal”. 

Jupiter has since deleted all linkages between wallets and email addresses. Moving forward, Jupiter will leverage zk tech to confirm that users have provided an email address, without needing to reveal any sensitive information. Dhanda has also recommended users consider using new email addresses and wallets moving forward.

Read More on SolanaFloor

Are $TNSR Holders diamond-handed?

More Than 64% of $TNSR Airdrop Claimants Have Held Onto Their Tokens

Refresh Your Crypto Security Essentials