The highly anticipated "9th Hong Kong Fintech Week "Hong Kong Fintech Week ’24" will be held at the AsiaWorld-Expo in Hong Kong from October 28 to November 1. As the world's leading flagship event for the development of financial technology, "Hong Kong Fintech Week 2024" is hosted by the Financial Services and the Treasury Bureau and Invest Hong Kong, and co-organized by the Hong Kong Monetary Authority (HKMA), the Securities and Futures Commission (SFC) and the Insurance Authority (IA). With the theme of "Lighting up New Channels for Fintech", this conference is expected to attract more than 35,000 global participants from more than 100 economies, and will bring together more than 800 speakers, as well as a number of sponsors and exhibitors, becoming a meeting point for global forward-looking insights and cutting-edge technologies. (Details: https://www.fintechweek.hk/agenda-2024)

In the security field, sharing is an extremely important hacker spirit, and Hacking Time is an important embodiment of SlowMist's hacker culture. Based on this concept, the Hacking Time official website has been upgraded and launched.
As a team that has long focused on the blockchain security field and conducted in-depth research on blockchain security technology, the SlowMist Security Team has accumulated rich security experience in the blockchain world, while constantly absorbing the latest knowledge from various cutting-edge technology tracks. Through the form of Hacking Time, we share our deep insights and practical experience in blockchain security technology with leaders in various fields. The newly upgraded Hacking Time official website is divided into two modules: external communication and internal sharing, which records every step of Hacking Time in the form of a timeline.

Introduction
With the rapid development of the DeFi ecosystem, Compound Finance V2, as one of the pioneers in this field, has attracted a large number of users with its innovative lending model. However, any complex distributed application faces potential security threats, especially when it involves the flow of funds worth millions or even hundreds of millions of dollars. Therefore, conducting a comprehensive and detailed security audit of Compound Finance V2 and its fork projects is particularly important. This manual aims to provide developers, security researchers, and DeFi enthusiasts with a detailed security audit guide to help effectively identify and prevent potential risks.

In the golden autumn of October, the 2024 Shanghai Blockchain International Week kicked off. Among them, the "10th Blockchain Global Summit" hosted by Wanxiang Blockchain Lab was brilliantly presented today (October 17) at the Shanghai Institute of Innovation and Creativity Design.
Since the first summit in 2015, the Blockchain Global Summit has grown into a benchmark for the industry, witnessing the rapid development and transformation of blockchain technology. Each summit not only presents cutting-edge technology trends to participants, but also provides profound industry insights and promotes exchanges and cooperation within the industry.
The 10th Blockchain Global Summit is themed "Technology for the Future", with equal emphasis on inheritance and innovation, striving to continue the vitality of the industry on the shoulders of "giants". This summit has set up a number of special forums and interactive sessions to promote in-depth exchanges within and outside the industry and stimulate innovative thinking. In addition, this summit brought together a series of heavyweight guests, including Ethereum co-founder Vitalik Buterin, Hong Kong Special Administrative Region Legislative Council member (Technology and Innovation) Qiu Dagen, Chainlink Labs Asia Pacific Banking and Capital Markets Business Head Vince Turcotte, and Animoca Brands Limited Group President Evan Auyang and other well-known industry leaders.

background
Earlier this year, SlowMist founder Cos warned users on X about the arbitrage MEV robot scam. Now hacker gangs are also following the trend, and the name of the scam has changed from "Simple and easy-to-use Uniswap arbitrage MEV robot" to "ChatGPT arbitrage MEV robot: How to use the slippage robot to earn $2,000 a day completely passively." The SlowMist security team has noticed that the number of users who have been harmed by this type of scam has increased recently. Therefore, this article will explain the scam routine and analyze the scammer's fund transfer model to help users avoid falling into this type of scam.

background
Recently, user X @roffett_eth tweeted that there are many ERC20 honeypot tokens in the trend list of the GMGN website. Even if these tokens are marked as "Everything is SAFU", please be vigilant because the scammers have not completed the entire Rug process. Cos, the founder of SlowMist, said that this situation not only occurs on GMGN, but also on DEXTools and DEX Screener. Based on this, this article will analyze the common methods of Pixiu disk to commit evil, list its characteristics, so that users without technical foundation can also master some ability to identify Pixiu disk and avoid financial losses.

On October 7, 2024, the United Nations Office on Drugs and Crime (hereinafter referred to as "UNODC") released a report titled (The Convergence of Transnational Organized Crime with Cyber ​​Fraud, Underground Banking and Technological Innovation in Southeast Asia: The Changing Threat Landscape). Click to read the original text to jump directly (https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf). In the report, UNODC thanked SlowMist for its information, data and analytical support, and our partner Bitrace was also thanked.

SlowMist receives a large number of requests for help from victims every day, hoping that we can provide assistance in fund tracking and recovery, including victims who have lost tens of millions of dollars. Based on this, this series collects statistics and analyses the stolen forms received each quarter, aiming to analyze common or rare malicious methods with real cases after desensitization, so as to help industry participants learn from them and better protect their assets.
According to statistics, the MistTrack Team received a total of 313 stolen forms in Q3 2024, including 228 domestic forms and 85 overseas forms, which is a decrease compared to Q2. For the Q2 form situation, please refer to SlowMist: 2024 Q2 MistTrack stolen form analysis. We provide free evaluation community services for these forms (Ps. The content of this article only applies to cases submitted from forms, and does not include cases contacted through email or other channels.)

Preface
With the rapid development of decentralized finance (DeFi), Uniswap, as a leading decentralized exchange, has been at the forefront of innovation. This article will deeply analyze the core mechanism of the Uniswap v3 protocol and explain its functional design in detail, including key functions such as centralized liquidity, multiple rates, token exchange and flash loans, and provide relevant audit points for auditors. (Note: The pictures in this article can be viewed in high definition at https://www.figma.com/board/QyIpAUR93MxZ4XZZf2QjDk/uniswap-v3.)
Architecture Analysis
The Uniswap v3 protocol mainly consists of four modules:

As an emerging high-performance blockchain platform, Sui has many innovative technologies and unique features, while focusing on providing fast and secure transaction experience for various application scenarios. For basic knowledge about Sui, please refer to Explore Sui: Technology and Contract Security Behind High Performance. Unlike other commonly used programming languages ​​​​in blockchains (such as Solidity), Sui uses the Move language, which can solve the common vulnerabilities of Solidity to a certain extent, such as reentrancy attacks, integer overflows, double spending, DoS attacks, and compiler problems, but it cannot avoid developers introducing errors in the code. Therefore, developers need to understand and pay attention to some unique functions or features when using it to ensure the security of smart contracts.

On September 9, 2024, the Federal Bureau of Investigation (FBI) released the 2023 Cryptocurrency Fraud Report. The report deeply analyzes the cryptocurrency-related complaints received by the Internet Crime Reporting Center (IC3) in 2023 from both macro and micro levels, and explores the characteristics of cryptocurrency and the main types of cryptocurrency crimes that year. This article will interpret the core content of the report to help readers quickly grasp the key information and improve their understanding and response capabilities to complex security threats.
Key Point 1: Cryptocurrency-related Complaints Data in 2023

TON (The Open Network) is a decentralized blockchain platform originally designed and developed by the Telegram team. It has gained attention since its launch. TON's goal is to provide a high-performance and scalable blockchain platform to support large-scale decentralized applications (DApps) and smart contracts. For the basics of TON, please refer to Getting to know TON: Accounts, Tokens, Transactions, and Asset Security.
It is worth noting that TON has a completely different architecture from other blockchains. In addition to using the FunC language to program TON's smart contracts, it also uses the more advanced Tact or the more basic Fift. These are highly original languages, so it is critical to ensure the security of smart contracts.

With the rapid development of Web3, blockchain technology and cryptocurrency have gradually become an important part of the global financial system. However, the accompanying security issues have also brought many challenges to this emerging field. Therefore, the SlowMist Security Team has specially launched the "Web3 Project Security Handbook" (https://www.slowmist.com/redhandbook/), referred to as the "Red Handbook", which aims to provide comprehensive security guidance and practical skills for Web3 projects and developers. The Red Handbook is a bilingual version in Chinese and English, and mainly includes four parts: Web3 project security practice requirements, SlowMist smart contract audit skill tree, blockchain-based cryptocurrency security audit guide, and crypto asset security solutions.

background
In the previous issue of Web3 Security Beginner's Guide to Avoiding Pitfalls, we analyzed common fake mining pool scams. This issue will focus on the Pixiu scam. According to legend, the Pixiu is a magical creature that is said to swallow treasures that cannot be taken out of its body. This image aptly describes the Pixiu scam: after users invest money, the price rises rapidly, triggering follow-up purchases, but eventually they find that they cannot sell and their funds are locked up.
This issue includes the reasons why users fall into the Pixiu Pan scam, the typical routines of the Pixiu Pan scam, and corresponding safety suggestions. I hope it can help everyone be more vigilant and avoid pitfalls.

With the advent of globalization and digitalization, the rapid development of the cryptocurrency market has brought new business opportunities, but also posed new challenges to laws and regulations around the world. The increasing interaction between cryptocurrencies and legal currencies has led to an increase in illegal activities such as money laundering and terrorist financing. At the same time, since blockchain technology is not the professional field of law enforcement agencies, it is difficult to locate specific criminals, and law enforcement agencies face greater challenges in combating these illegal activities. In addition, from multiple incidents, the regulation of cryptocurrencies requires not only the support of local laws, but also international cooperation to deal with cross-border crimes, money laundering, terrorist financing and other issues. Therefore, international cooperation in law enforcement and the use of blockchain data analysis technology will become a major trend in combating cryptocurrency crimes.

By: Jiujiu@SlowMist Security Team
background
According to the SlowMist security team, on September 4, 2024, the decentralized liquidity income project Penpie was attacked, and the attacker made a profit of nearly 30 million US dollars. The SlowMist security team analyzed the incident and shared the results as follows:
(https://x.com/Penpiexyz_io/status/1831058385330118831)
Prerequisites
Pendle Finance is a decentralized financial yield trading protocol with over $4.5 billion in total locked value. The protocol successfully integrated with Magpie to optimize yield opportunities and enhance its veTokenomics model. On this basis, the Penpie project introduced liquidity mining capabilities to enable passive income on Pendle Finance's market.

By: Johan & Victory!
background
Some time ago, we discussed the characteristics of TON and user asset security issues in Getting to Know TON: Accounts, Tokens, Transactions and Asset Security. Today, let’s learn about another emerging high-performance blockchain platform - Sui, which has many innovative technologies and unique features that have attracted the attention of developers and researchers. Sui focuses on providing a fast and secure transaction experience suitable for various application scenarios. This article will help readers understand Sui by explaining Sui’s account model, token management, transaction mechanism and asset security.

background
In the last issue of the Web3 Security Getting Started Guide to Avoiding Pitfalls, we analyzed some typical airdrop scams and explained the various risks that users may face when receiving airdrops. Recently, the SlowMist AML team noticed a significant increase in the number of users compromised by fake mining pool scams when analyzing the MistTrack stolen forms submitted by victims. Therefore, in this issue, we will provide an in-depth analysis of several common fake mining pool scams and put forward corresponding safety suggestions to help users avoid pitfalls.
You want his rest, he wants your life
Fake mining pool scams mainly target new Web3 users. Scammers take advantage of new users' lack of understanding of the cryptocurrency market and their desire for high returns, and trick them into investing money through a series of carefully designed steps. These scams usually rely on the mechanism that "funds need to be kept in the pool for a period of time to generate returns", making it difficult for users to detect that they have been deceived in a short period of time. Under the guidance of the scammers, users often continue to invest more funds in pursuit of higher interest rates. When users are unable to continue to provide funds, the scammers will threaten that this will result in the inability to redeem the principal, and ultimately users will continue to suffer losses under heavy pressure.

background
In the previous issue of Web3 Security Beginner's Guide to Avoiding Pitfalls, we mainly explained the relevant knowledge of multi-signature phishing, including the multi-signature mechanism, the causes of multi-signature, and how to avoid malicious multi-signatures in wallets. In this issue, we will explain a marketing method that is considered effective in both traditional industries and the encryption field - airdrops.
Airdrops can bring projects from obscurity to the public eye in a short period of time, quickly accumulate a user base, and enhance market influence. When users participate in Web3 projects, they need to click on relevant links and interact with the project parties to obtain airdrop tokens. However, from high-copy websites to tools with backdoors, hackers have already set traps upstream and downstream of the user's airdrop process. Therefore, in this issue, we will analyze some typical airdrop scams to explain the related risks and help everyone avoid pitfalls.

By: Johan
background
TON (The Open Network) is a decentralized blockchain platform originally designed and developed by the Telegram team. TON's goal is to provide a high-performance and scalable blockchain platform to support large-scale decentralized applications (DApps) and smart contracts.
TON is so special. It is easy to use. It is deeply integrated with Telegram, making it easy for ordinary people to use tokens. It is also complex. It has a completely different architecture from other blockchains and uses the non-mainstream FunC smart contract language. Today we will discuss the characteristics of TON and the security of user assets from the perspectives of accounts, tokens, and transactions.