TON (The Open Network) is a decentralized blockchain platform originally designed and developed by the Telegram team. It has gained attention since its launch. TON's goal is to provide a high-performance and scalable blockchain platform to support large-scale decentralized applications (DApps) and smart contracts. For the basics of TON, please refer to Getting to know TON: Accounts, Tokens, Transactions, and Asset Security.
It is worth noting that TON has a completely different architecture from other blockchains. In addition to using the FunC language to program TON's smart contracts, it also uses the more advanced Tact or the more basic Fift. These are highly original languages, so it is critical to ensure the security of smart contracts.

With the rapid development of Web3, blockchain technology and cryptocurrency have gradually become an important part of the global financial system. However, the accompanying security issues have also brought many challenges to this emerging field. Therefore, the SlowMist Security Team has specially launched the "Web3 Project Security Handbook" (https://www.slowmist.com/redhandbook/), referred to as the "Red Handbook", which aims to provide comprehensive security guidance and practical skills for Web3 projects and developers. The Red Handbook is a bilingual version in Chinese and English, and mainly includes four parts: Web3 project security practice requirements, SlowMist smart contract audit skill tree, blockchain-based cryptocurrency security audit guide, and crypto asset security solutions.

background
In the previous issue of Web3 Security Beginner's Guide to Avoiding Pitfalls, we analyzed common fake mining pool scams. This issue will focus on the Pixiu scam. According to legend, the Pixiu is a magical creature that is said to swallow treasures that cannot be taken out of its body. This image aptly describes the Pixiu scam: after users invest money, the price rises rapidly, triggering follow-up purchases, but eventually they find that they cannot sell and their funds are locked up.
This issue includes the reasons why users fall into the Pixiu Pan scam, the typical routines of the Pixiu Pan scam, and corresponding safety suggestions. I hope it can help everyone be more vigilant and avoid pitfalls.

With the advent of globalization and digitalization, the rapid development of the cryptocurrency market has brought new business opportunities, but also posed new challenges to laws and regulations around the world. The increasing interaction between cryptocurrencies and legal currencies has led to an increase in illegal activities such as money laundering and terrorist financing. At the same time, since blockchain technology is not the professional field of law enforcement agencies, it is difficult to locate specific criminals, and law enforcement agencies face greater challenges in combating these illegal activities. In addition, from multiple incidents, the regulation of cryptocurrencies requires not only the support of local laws, but also international cooperation to deal with cross-border crimes, money laundering, terrorist financing and other issues. Therefore, international cooperation in law enforcement and the use of blockchain data analysis technology will become a major trend in combating cryptocurrency crimes.

By: Jiujiu@SlowMist Security Team
background
According to the SlowMist security team, on September 4, 2024, the decentralized liquidity income project Penpie was attacked, and the attacker made a profit of nearly 30 million US dollars. The SlowMist security team analyzed the incident and shared the results as follows:
(https://x.com/Penpiexyz_io/status/1831058385330118831)
Prerequisites
Pendle Finance is a decentralized financial yield trading protocol with over $4.5 billion in total locked value. The protocol successfully integrated with Magpie to optimize yield opportunities and enhance its veTokenomics model. On this basis, the Penpie project introduced liquidity mining capabilities to enable passive income on Pendle Finance's market.

By: Johan & Victory!
background
Some time ago, we discussed the characteristics of TON and user asset security issues in Getting to Know TON: Accounts, Tokens, Transactions and Asset Security. Today, let’s learn about another emerging high-performance blockchain platform - Sui, which has many innovative technologies and unique features that have attracted the attention of developers and researchers. Sui focuses on providing a fast and secure transaction experience suitable for various application scenarios. This article will help readers understand Sui by explaining Sui’s account model, token management, transaction mechanism and asset security.

background
In the last issue of the Web3 Security Getting Started Guide to Avoiding Pitfalls, we analyzed some typical airdrop scams and explained the various risks that users may face when receiving airdrops. Recently, the SlowMist AML team noticed a significant increase in the number of users compromised by fake mining pool scams when analyzing the MistTrack stolen forms submitted by victims. Therefore, in this issue, we will provide an in-depth analysis of several common fake mining pool scams and put forward corresponding safety suggestions to help users avoid pitfalls.
You want his rest, he wants your life
Fake mining pool scams mainly target new Web3 users. Scammers take advantage of new users' lack of understanding of the cryptocurrency market and their desire for high returns, and trick them into investing money through a series of carefully designed steps. These scams usually rely on the mechanism that "funds need to be kept in the pool for a period of time to generate returns", making it difficult for users to detect that they have been deceived in a short period of time. Under the guidance of the scammers, users often continue to invest more funds in pursuit of higher interest rates. When users are unable to continue to provide funds, the scammers will threaten that this will result in the inability to redeem the principal, and ultimately users will continue to suffer losses under heavy pressure.

background
In the previous issue of Web3 Security Beginner's Guide to Avoiding Pitfalls, we mainly explained the relevant knowledge of multi-signature phishing, including the multi-signature mechanism, the causes of multi-signature, and how to avoid malicious multi-signatures in wallets. In this issue, we will explain a marketing method that is considered effective in both traditional industries and the encryption field - airdrops.
Airdrops can bring projects from obscurity to the public eye in a short period of time, quickly accumulate a user base, and enhance market influence. When users participate in Web3 projects, they need to click on relevant links and interact with the project parties to obtain airdrop tokens. However, from high-copy websites to tools with backdoors, hackers have already set traps upstream and downstream of the user's airdrop process. Therefore, in this issue, we will analyze some typical airdrop scams to explain the related risks and help everyone avoid pitfalls.

By: Johan
background
TON (The Open Network) is a decentralized blockchain platform originally designed and developed by the Telegram team. TON's goal is to provide a high-performance and scalable blockchain platform to support large-scale decentralized applications (DApps) and smart contracts.
TON is so special. It is easy to use. It is deeply integrated with Telegram, making it easy for ordinary people to use tokens. It is also complex. It has a completely different architecture from other blockchains and uses the non-mainstream FunC smart contract language. Today we will discuss the characteristics of TON and the security of user assets from the perspectives of accounts, tokens, and transactions.

Recently, the School of Business Administration of Hong Kong Baptist University announced that Ms. Cheung Yung Yung Mandy, an outstanding student of the Master of Finance (FinTech and Financial Analytics) program, won the SlowMist Cybersecurity Award in the 2023-24 academic year. This award is in recognition of Mandy's outstanding performance in the "FIN7900 Cybersecurity, Privacy and RegTech" course. Her work not only sets a benchmark for academic excellence, but also highlights the importance of ensuring the security of financial technology in today's digital age.
Since the 2020-21 academic year, SlowMist has started to offer the "SlowMist Cybersecurity Award" to winners of the Hong Kong Baptist University Finance Course, which includes a cash prize of US$4,000. SlowMist offers this award to encourage outstanding students who work hard for the development of cybersecurity. We hope that more people will realize the importance of cybersecurity in today's digital environment. SlowMist has been committed to bringing a sense of security to the blockchain ecosystem, whether it is providing free case assessment assistance services to the blockchain community, outputting security knowledge in the form of AMA or articles, or continuing to follow up on hackers threatening the blockchain industry, because we are well aware that cybersecurity is related to personal privacy/property security, and even to the trust and sustainable development of the industry. Therefore, SlowMist continues to use its capabilities and experience in the front line of blockchain security for many years to promote the healthy development of the blockchain industry.

On August 5, the Indonesian version of the "Blockchain Dark Forest Self-Rescue Manual" was officially released.
The "Blockchain Dark Forest Self-Help Manual" ("Black Manual") was written by Yu Xian, the founder of SlowMist, and released in 2022. The positioning of the "Blockchain Dark Forest Self-Help Manual" focuses on user safety and aims to become a self-help guide for every user walking in the blockchain dark forest. Once the Black Manual was released, it attracted great attention and strong response, and was recognized and recommended by the majority of Web3 users. Today, the launch of the Indonesian version has further expanded the scope of the Black Manual.

background
In the previous issue of the Web3 Security Beginner's Guide to Avoiding Pitfalls, we mainly explained the risks when downloading/purchasing wallets, how to find the real official website and verify the authenticity of the wallet, and the risk of private key/mnemonic leakage. We often say "Not your keys, not your coins", but there are also situations where even if you have a private key/mnemonic, you cannot control your assets, that is, the wallet has been maliciously multi-signed. Combined with the MistTrack theft form we collected, some users' wallets were maliciously multi-signed, and they didn't understand why they still had a balance in their wallet accounts but couldn't transfer the funds out. Therefore, in this issue, we will take the TRON wallet as an example to explain the relevant knowledge of multi-signature phishing, including the multi-signature mechanism, hackers' routine operations, and how to avoid malicious multi-signatures on wallets.

background
On July 25, 2024, MonoSwap (@monoswapio) issued a warning on Twitter that its platform had been hacked. They called on users to stop adding funds to their liquidity pools or staking in their farm pools, and explained that the attack was due to a MonoSwap developer who installed a Trojan software (https[:]//kakaocall[.]kr) when accepting a meeting invitation from a fake VC the day before the incident. The hacker used this to invade the computer of the MonoSwap developer, thereby controlling the relevant wallets and contracts, and then withdrawing a large amount of staked funds, causing serious losses.

By: Thinking
background
As the TON ecosystem project heats up, Web3 phishing gangs have also begun to enter the battlefield of the TON ecosystem. Currently, the TON ecosystem uses the TonConnect SDK to solve the problem of cross-platform/application wallet connection and interaction. Such solutions will inevitably encounter a problem: how to solve the domain name verification during cross-platform/application communication?
Usually, in order to allow users to use wallets to connect to DApps or confirm whether the source of the signature request is reliable, the wallet will prompt the source domain name on the request approval page, so that users can better verify and confirm whether the source of the request is consistent with the source of their operation, thereby avoiding fraud from signature requests from malicious sources.

By: 耀
Background Overview
Recently, there have been many cases where the X account of a Web3 project owner or celebrity has been stolen and used to send phishing tweets. Hackers are good at using various means to steal user accounts. The more common routines are as follows:
Induce users to click on fake Calendly/Kakao meeting reservation links to steal user account authorization or control user devices;
Private messages trick users into downloading programs with Trojans (fake games, conference programs, etc.). In addition to stealing private keys/mnemonics, Trojans may also steal X account permissions;
Use SIM Swap attack to steal the permissions of X account that relies on the mobile phone number.

Overview
According to the SlowMist Blockchain Hacked Archives (https://hacked.slowmist.io), there were 37 security incidents in July 2024, with a total loss of approximately $279 million, of which $8.76 million was returned. The causes of the security incidents this month involved contract vulnerabilities, account hacking, running away, and domain name hijacking.

Main Events
Bitten Sensor
On July 2, 2024, the decentralized AI project Bittensor was attacked, and some Bittensor wallet users were stolen. The attacker stole about 32,000 TAO, which is about 8 million US dollars according to the market value. On-chain detective ZachXBT believed that the attack may have been caused by a private key leak, but Bittensor later said that the affected users were actually attacked because a malicious Bittensor package was uploaded to Python's PyPi package manager.

With the rapid development of blockchain, security incidents such as theft, phishing, and fraud against users are increasing, and the attack methods are diverse. SlowMist receives a large number of victims' help messages every day, hoping that we can provide assistance in fund tracking and rescue, including victims who have lost tens of millions of US dollars. Based on this, this series counts and analyzes the stolen forms received each quarter, aiming to analyze common or rare malicious methods with real cases after desensitization, and help users learn how to better protect their assets.

Preface
SlowMist Technology released the "Blockchain Security and Anti-Money Laundering Report for the First Half of 2024" (hereinafter referred to as the "Report"). This report summarizes the key regulatory compliance policies and dynamics of the blockchain industry in the first half of 2024, including but not limited to the multi-angle regulatory stance on cryptocurrencies and a series of core policy adjustments. We reviewed and outlined blockchain security incidents and anti-money laundering trends in the first half of 2024, interpreted some common money laundering tools and phishing theft techniques, and proposed effective prevention methods and response strategies for such problems. In addition, we also disclosed and analyzed the major phishing criminal organizations Wallet Drainers and the hacker group Lazarus Group in order to provide a reference for preventing such threats.

On June 28, the Arabic version of the "Blockchain Dark Forest Self-Rescue Manual" was officially released.
The "Blockchain Dark Forest Self-Help Manual" ("Black Manual" for short) was written by Yu Xian, the founder of SlowMist, and released in 2022. Once released, the Black Manual attracted great attention and strong response, and was recognized and recommended by a large number of Web3 users. At the same time, the Black Manual also attracted a group of excellent translators, who used their professional knowledge to make the English, Japanese, and Korean versions of the Black Manual available to everyone, helping more Web3 users overcome language barriers and learn how to survive in the blockchain dark forest.

By: Doris@SlowMist Security Team
background
On June 10, 2024, according to the SlowMist MistEye security monitoring system, UwU Lend, a platform that provides digital asset lending services on the EVM chain, was attacked and lost approximately $19.3 million. The SlowMist security team analyzed the incident and shared the results as follows:
(https://x.com/SlowMist_Team/status/1800181916857155761)

Related Information
Attacker Address:
0x841ddf093f5188989fa1524e7b893de64b421f47
The address of the vulnerable contract:
0x9bc6333081266e55d88942e277fc809b485698b9

Attack transaction:
0xca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3