Author: Wu Shuo

 

We invited Tommy, a researcher from Bitget, and Lisa, the operations manager of the SlowMist security team, to discuss the risk assessment of listings on exchanges, on-chain security issues, and how investors can protect their assets. The two guests shared their experiences in evaluating new projects, monitoring listed tokens, and dealing with hacker attacks. They also discussed the security risks that investors and institutions need to pay attention to in the current cryptocurrency market and how to use new tools to improve security.

Opening Introduction

Tommy :

Hello everyone, I am a researcher who has worked at the crypto exchange Bitget for two and a half years. Bitget started with a team of only two or three hundred people, with its main business being contracts and copy trading. Today, its contract product market share is nearly 27%, and the platform has more than 30 million visits per month. It has developed into a full-ecological crypto trading platform with more than 25 million registered users in more than 100 countries and regions around the world.

In my more than two years of work experience, I have hardly made PPTs except for organizing sharing sessions for VIP customers. The team always attaches importance to efficiency and results-oriented, rather than formal presentations and tedious reports. The team members of our research institute have diverse skills, including top talents who are good at designing and implementing DeFi products, as well as experts with deep experience in on-chain data analysis.

Lisa :

Hello everyone, I am Lisa, the head of operations at SlowMist. SlowMist is an industry-leading blockchain security company with rich on-chain and off-chain security experience, and has also accumulated many years of experience in threat intelligence. SlowMist mainly provides "integrated security solutions from threat discovery to threat defense, tailored to local conditions, such as security auditing and anti-money laundering tracking and tracing services. The name SlowMist comes from "The Three-Body Problem". The SlowMist Zone is a safe area in the Three-Body Problem, which also symbolizes that SlowMist is a safe area in the dangerous "dark forest" of blockchain. We have also established a white hat community called "SlowMist Zone", which currently has more than 300,000 participants.

How to conduct risk assessment before listing a coin? Are the assessment strategies for emerging projects and well-known projects different?

Tommy :

Bitget's risk assessment is led by the research institute, with the assistance of the audit and risk control teams. First, we will comprehensively review the project's track, team background, and investor history. If the project involves Bitget's risk control red lines, such as pornography, gambling, drugs, or politically sensitive factors, we will directly reject it. In addition, projects that have been sued by the SEC or have a negative reputation will also be rejected, such as Pulsechain (PLS). Although it was very popular before TGE, we have temporarily declined cooperation due to its disputes with the SEC and negative comments.

Secondly, we will evaluate the project's token economic model, FDV at launch, and initial circulating market value. If these values ​​are too high, we may reject or request adjustments. Projects with high market value and low potential often make retail investors take over. We have also seen recently that some VC coins with good financing have fallen by 90% after launch. We will also avoid such tokens in the future. However, in any case, the future trend of a project or token is difficult to accurately predict, and we can only minimize the losses of traders through methodology.

For non-first-time projects, especially the recently launched Memecoins, we will pay special attention to contract risks, chip concentration, LP pool lock-up, etc. For emerging projects, we will be more cautious, but at the same time we will also be inclusive of innovation, such as UNIBOT, which was first launched by Bitegt. Initially, UNIBOT retained contract permissions such as "transaction tax can be modified, black/white list mechanism" due to the design needs of the project itself, which had certain drawbacks. However, after analyzing the Unibot profit model, the research team believed that the project had certain sustainability and no reason to Rug, so it was finally launched firmly and brought good returns to traders; another example is ORDI. We believe that the innovation of BRC-20 can reactivate the Bitcoin ecosystem and gain the support of the miner community.

How to evaluate VC coins and community coins? How to view the difference between the two?

Tommy :

From a business-oriented perspective, Bitget's core goal is to provide users with a rich selection of assets and investment opportunities while keeping risks under control. Some VC coins were very popular during TGE, but their concepts or token economic designs were not considered sufficient to support their FDV in the evaluation; however, not listing these tokens may cause users to question, especially when both retail and large customers believe that we should provide such options. It is their decision whether to buy or not, and we also need to provide this opportunity. For tokens with higher market capitalization, we usually launch contracts on the day of listing or the next day for traders to go long or short.

Internally, we will give S-level treatment to top-tier projects with high traffic and huge growth potential. If a project has high traffic and strong investors, but the product is not solid enough or the community performance is average, we will downgrade it to A-level. Although A-level projects will not be promoted as strongly as S-level projects, from the perspective of the exchange, such projects are still worth listing.

How to continuously monitor the performance and risks of a project after listing?

Lisa :

Compared with the complete public chain audit or smart contract audit, SlowMist will pay more attention to the security threats of assets when assisting exchanges in currency evaluation. Technical considerations are of paramount importance. For example, we will review the security of the source code to ensure that it is continuously maintained and updated. For example, we will pay attention to the random number security of the private key to ensure that a reliable random number source is used, and at the same time check the security of cryptography to confirm that the algorithms used have been reviewed by the industry and that the cryptographic components are mature and reliable. We also attach great importance to the risks of economic models, such as potential pyramid schemes or death spirals. Of course, team risk is also key, especially whether there are special permissions or tokens are too concentrated, which may lead to the risk of running away or smashing the market.

Exchanges are often targeted by hacker attacks. They usually place their servers behind defense systems, and even need to host core services that manage funds offline. However, due to the strict requirements of blockchain systems for data integrity, some malicious transactions may bypass the protection of peripheral security systems, leading to fake recharge problems. Common fake recharge attack methods include counterfeit coins, especially when there are loopholes in the judgment logic of certain currency transactions and transfers in the exchange. Attackers may construct fake recharge transactions, causing exchanges to mistake them for legitimate recharges, thereby crediting users. In addition, it is also a common method to use the RBF function in the Bitcoin protocol for fake recharges. Attackers replace previous transactions by paying higher fees, causing exchanges to misjudge and cause asset losses.

It should be noted that fake recharge attacks are not loopholes in the blockchain, but attackers use some characteristics of the blockchain to construct special malicious transactions. In order to prevent fake recharge attacks, manual audits can be adopted, especially for large or high-risk transactions. In addition, by conducting security authentication and regular reviews of external API interfaces to ensure the security of the API, unauthorized access and potential vulnerabilities can also be effectively avoided.

Tommy :

After the project is launched, if there is a risk, the market will react more quickly, and Bitget will immediately discuss whether to urgently remove the project and take measures to protect users. We have also been monitoring the performance of all listed tokens, and have recently begun to strengthen management in this area. More ST (special treatment) tokens may appear in the future.

If these ST tokens fail to improve their fundamentals or liquidity within the specified period, we will consider delisting them. Many projects perform poorly after they are launched, and the project owners may "let the project rot" and no longer actively promote the project, resulting in a deterioration in market depth. Novice users encounter large slippage when buying and selling, which seriously affects the user experience. We are actively addressing this issue.

In terms of protecting against token risks, we do more work before listing. In the first wave of Meme token craze, Bitget rejected many high-risk Meme tokens, such as unreasonable distribution methods, too many tokens held by the project party, and fake data of the on-chain currency holding address. Even if the project party offered to pay the listing fee, we refused to list it.

What typical on-chain security incidents has SlowMist handled?

Lisa :

Since the establishment of SlowMist, we have handled a large number of on-chain security incidents. Here I share two types of cases: one is the incident where the project party was attacked, and the other is the case where the user's personal data was stolen.

The first is the Poly Network incident in 2021, which was one of the most damaging attacks at the time, involving an amount of up to 610 million US dollars. After the incident, Poly Network released the news of the attack at around 20:00 that night, and Tether promptly froze part of the USDT on the hacker's address at around 21:00. We found some of the attacker's identity information and IP address at around 11 o'clock that night and began to track the flow of funds. The next afternoon, the hacker began to return the funds. This incident is a milestone for SlowMist. Through this incident, we have summarized a set of emergency warning and defense processes, including rapid response and on-chain anti-money laundering, to reduce losses and lock assets.

Another type of case is theft from individual users. In February of this year, a user came to us and said that he had been robbed. The hacker disguised himself as a reporter from a well-known media and guided the victim to click on a link with a malicious script, which eventually stole the victim's account permissions and funds. The victim contacted us after the theft and disclosed his experience. After we found that the funds had been transferred to an exchange, we immediately contacted the exchange for a temporary freeze. Although the case filing process was complicated, the victim successfully recovered the stolen funds three and a half months later. This is the first case in Taiwan's judicial history to assist law enforcement agencies in completing the freezing of funds and returning them to the victim through tracking analysis and proof of wallet owner without specific suspect information.

Through these cases, I would like to share some experience. If unfortunately stolen, the first thing to do is to stop the loss in time and see if there is still a chance to save it. For example, when the authorization is stolen, cancel the authorization in time; when the private key or mnemonic is stolen, transfer the remaining assets immediately; if the PC is infected with a Trojan, disconnect from the Internet immediately but do not shut down the computer to facilitate subsequent evidence collection, change the passwords of various platforms saved in the computer, and change the wallet. Record the timeline and detailed description of the theft, seek help from a third-party security team, and request assistance from law enforcement after the case is filed. These measures are important steps to protect personal assets.

How to determine whether a token contract or interactive project is safe?

Lisa :

The easiest way is to check the code. But if you don't understand technology, as a novice or someone who doesn't know much about technology, you can learn more about some classic phishing or fraud cases, identify their characteristics and forms, and be more vigilant. Pay special attention to traps in the project, such as fake tokens that can only be bought but not sold. When judging a project, note that high returns and high rates of return are usually accompanied by high risks. Investigating whether the team is open and transparent and whether the members are well-known can reduce the probability of running away or fraud. In addition, checking whether the code has been security audited is also a guarantee. It is recommended that everyone try to participate in the top projects, because even if they are attacked, there are usually compensation plans, which can relatively better guarantee the safety of assets.

Tommy :

I think most ordinary players may not have the ability or time to check the security of the code. The easiest way is to use some reliable third-party tools, such as GoPlus, which supports many chains, especially EVM chains. Solana users can try RugCheck and gmgn ai, which can help detect the risks of tokens. When speculating on the chain, some tokens may not publish contracts or retain the right to modify transaction taxes, which may lead to some bad behaviors, such as the project party adjusting the selling tax rate to 99% or 100% after a large amount of funds have poured in, which is also a scam.

In addition, non-custodial wallets such as Bitget Wallet now also have built-in risk warning functions. When trading high-risk tokens, you will receive a reminder, which is very friendly to novice users. For friends who participate in DeFi financial management, in addition to well-known projects, I will also pay attention to the TVL of the project. If a project's TVL exceeds 50 million US dollars, I may consider participating, but pay attention to whether this is through the investment of multiple users or only one or two large wallets. For large pools with TVL exceeding tens of millions of dollars, even if moral risks occur, the problem is easier to solve.

What are the on-chain operation security recommendations for ordinary users and institutional users respectively?

Tommy :

For ordinary users, my suggestions are as follows: First, carefully check the authenticity of the URL when visiting the website. Second, when authorizing tokens, avoid unlimited authorization and cancel the contract authorization of small projects in a timely manner. If you do not participate in DeFi operations, you can choose a centralized exchange with proof of reserves to perform simple financial operations. If you are a Bitcoin holder, using a hardware wallet is a good choice.

For institutional users, they are usually more aware of security measures, but it is still recommended to use multi-signature wallets and strictly manage permissions. When a security incident occurs, timely remediation is required to avoid ignoring small problems in the early stages, as these problems may lead to greater losses. It is also very important to hire professional security personnel to conduct security audits and assessments, such as working with security agencies to conduct penetration tests.

Lisa :

When it comes to on-chain operations, wallet security is key. Wallet asset thefts are generally divided into three categories: private key or mnemonic phrase theft, authorization signature phishing, and transfer destination address tampering.

The key to preventing the theft of private keys and mnemonics is to avoid using fake wallets. Many users obtain wallets through search engine ads or third-party download sites, which pose a risk of private key mnemonics being stolen. In addition, malicious browser extensions may also steal user authentication information and sensitive data. It is recommended that users only install extensions from trusted sources, use different browsers to isolate plug-in browsing and fund transactions, and regularly use antivirus software to check devices.

The most common type of phishing is blind signing, which means that the user signs without knowing the content. Especially in offline signatures, users often think that signatures are not on the chain and do not consume gas, so they relax their vigilance and their funds are stolen. The authorization traces of offline signatures are only visible in the phisher's address, which is difficult for the victim to detect.

The key to preventing risks in on-chain operations lies in domain names and signatures. It is recommended that users try to "see what you sign" and refuse blind signatures. If you do not understand the content of the signature, it is best to give up the operation. In addition, measures such as installing anti-virus software, enabling two-factor authentication, and carefully clicking on unknown links can also improve account security. Finally, improve safety awareness by studying cases. Do not act rashly due to emotional impulses. When in doubt, verify from multiple parties to ensure safety. The "Blockchain Dark Forest Self-Help Manual" written by Yu Xian, the founder of SlowMist, is worth reading.

What are the common security risks of Memecoins transactions?

Tommy :

For the pre-sale Memecoin, many traders will quickly enter the market at the opening, through bots, self-written codes, or using platforms such as gmgn ai to snipe. However, the project party may postpone the opening time for various reasons, causing many people to snipe fake tokens. These tokens have the same ticker name and image. When the real token opens, there are already four or five fake tokens on the market that are ready to run away. Therefore, when participating in this high-heat pre-sale token, you must wait for the contract confirmed by the project party to go online, otherwise it is easy to be deceived.

At present, the abandonment of Meme coin contract rights, the dispersion of chips, and the destruction of LP have become basic requirements. Meme Traders are very strict about these requirements. Once they find that suspected internal personnel of the project have bought in advance, others are unwilling to participate.

In addition to these basic requirements, I think the liquidity of the LP pool should be at least $300,000 to $500,000, which is the minimum standard. The risk of a small pool rug is extremely high and the return is limited. In addition, the FDV at the time of TGE cannot be too high. If a Memecoin has a small transaction volume on the chain and a low level of discussion on social media, but has a FDV of tens of millions, this is very suspicious.

In addition, many Memecoin developers will not only release one token, but also release multiple at the same time. If a developer has released multiple Rug Memecoins before, the possibility of him Rug again is also high. Therefore, everyone should be wary of new projects from these developers.

Lisa :

There are some different on-chain risks when charging Memecoin on Ethereum and Solana chains. The EVM series of public chain tokens have a higher degree of freedom in issuing tokens, and the logic of the tokens is implemented by developers; while Solana issues tokens through official channels, so their on-chain transaction risks are also different.

Common risk types include malicious tokens and rug pull tokens. For example, some Memecoins are highly discussed, but when users want to sell them, they find that their addresses are blocked and cannot be sold. These tokens usually limit transfers by setting special logic, which prevents users from selling tokens. In addition, rug pull tokens may contain backdoor logic for issuing a large number of additional tokens, and the project party can perform malicious operations through privileged functions or freezing user addresses.

What new technologies and tools can help users improve on-chain security?

Lisa :

At the beginning, we mentioned Scam Sniffer, a phishing risk blocking plug-in that is very useful and I personally use it. In addition, their authorization management tool is also worth recommending. Revoke. Cash is also a classic tool for canceling and checking authorizations. Furthermore, the antivirus software we mentioned, such as AVG and Kaspersky, are also relatively reliable choices.

In addition to these authorization and phishing blocking tools, GoPlus is also a good tool that can effectively detect Pixiu disks and Pixiu coins. I highly recommend it. In addition, there are some tools related to local devices, such as 1Password, a well-known password manager, and 2FA authentication tools. Although they need to be backed up to prevent loss, their security is far better than not using two-factor authentication.

In addition, I would like to recommend SlowMist's MistTrack anti-money laundering tracking system. We have launched a black U detection tool based on MistTrack, where users can view their scores by entering transaction addresses to help identify and avoid money laundering risks.

These tools can help improve on-chain security, but they cannot guarantee absolute security. New versions may have bugs or even implant backdoors. Therefore, I recommend that you think independently when using these tools, practice zero trust principles, and continue to verify. It is crucial to remember that there is no absolute security.

What other areas do you think the crypto industry needs to strengthen security measures?

Lisa :

The crypto industry cannot ignore security issues. A mistake may result in millions of dollars in losses, leading to project paralysis or personal bankruptcy. All fields are facing the risk of hacker attacks. Based on the security bucket effect, strengthening security measures is an overall need, because every link - including users, project parties and supply chains are crucial, and no security shortcomings can appear in any link. Any omission in any link will destroy the entire security closed loop, requiring a complete systemic defense that combines technical defense + manual defense.

First, we need to improve users' security awareness. SlowMist provides a theft/fraud form submission system. Users can submit relevant information after being stolen/frauded. We will provide them with free fund tracking and community evaluation. Through these feedbacks, we found that many users' security awareness needs to be improved. They often ignore security incidents and reminders, immerse themselves in FOMO emotions, and lack understanding of common attack methods.

Both project owners and individual users need to understand common attack methods and make emergency plans in advance so that they can locate and control problems in a timely manner when losses occur. We at SlowMist spread security knowledge through the Blockchain Dark Forest Self-help Manual and Twitter, but many users are more concerned about funds and are unwilling to understand security issues in depth. This requires joint efforts from all parties to provide better protection for user fund security.

There have been many phishing comments on Twitter recently from fake project owners. SpaceX engineers have introduced a new feature that allows users to disable links in replies, which is an effective security measure that can greatly reduce the risk of phishing. These are positive developments in the industry, and we hope that there will be more such security services in the future to help users improve their risk prevention capabilities.

Tommy :

As a practitioner, user, and player, I hope that tool products can continue to improve and reduce my concerns about security issues. I expect these tools to remind me in time when risks arise, or even directly prevent potentially dangerous operations. This approach is more user-friendly, and I believe that the user experience of Web3 will eventually reach or even exceed the current level of Web2.

Only when more and more non-circle users can smoothly integrate into the Crypto field can the industry truly grow and develop. The improvement of these infrastructures can not only help users resist risks, but also provide a better experience for new users, avoiding resistance to the entire industry due to being deceived.