Security Special Issue: OKX Web3 & CertiK, MEME "Adventure" and Security "Truth or Dare"

Author: OKX Web3

Playing with MEME is an adventure

Rug Pull, Pi Xiu schemes, price crashes, being trapped… numerous traps lie ahead

I have always been a brave adventurer until my knee was hit by "an arrow"

This issue is the Safety Special Edition No. 02, featuring the well-known security agency CertiK and the OKX Web3 team, who will share common security risks and preventive measures for MEME on-chain transactions from a practical guide perspective, hoping to help MEME users.

CertiK Security Team: CertiK was founded by two professors from Yale University and Columbia University, utilizing the most advanced formal verification technology, AI auditing technology, and manual audits by security experts. By scanning and monitoring blockchain protocols and smart contracts, they ensure their security. To date, CertiK has gained recognition from over 4,000 enterprise clients, discovered nearly 70,000 code vulnerabilities, and protected over $400 billion in digital assets from loss.

OKX Web3 Wallet Security Team: Hello everyone, we are very happy to share this session. The OKX Web3 Wallet Security Team is mainly responsible for building the security capabilities of the OKX Web3 wallet, providing multiple protective services such as product security, user security, and transaction security, guarding user wallet security 24/7 while contributing to the maintenance of the entire blockchain security ecosystem.

Q1: Real Cases of MEME Risks Around Us

OKX Web3 Wallet Security Team: There are many types of risk cases. We have selected a few classic cases that users encountered while trading MEME:

Case 1: Pi Xiu Scheme

User A saw a certain MEME trending on Twitter and found the token address in the comments of the MEME's tweet. After checking the transaction data of the MEME, they found it performed well and decided to buy. As the price of the MEME continued to rise, User A wanted to sell and lock in profits but was unable to do so. After our team investigated, we found that the MEME token was a Pi Xiu scheme, and the user's address was blacklisted, preventing them from selling.

Case 2: Malicious Rug Pull

User B frequently spoke in a certain Telegram group and participated in activities, adding many group friends to their contacts. One day, a group friend privately messaged User B and recommended a certain MEME project, claiming it was very hot and had great potential, then immediately provided the MEME token address. User B was somewhat tempted, so they checked it on a data analysis tool and found that the MEME token's liquidity LP had been destroyed and there were no whale holdings, leading them to believe the MEME project was reliable and made a purchase. However, the next day, User B suddenly discovered that the liquidity of the MEME project had been exhausted. After our team investigated, we found that the token was a malicious Rug Pull token, which had a backdoor logic allowing for mass token issuance.

Risk cases faced by MEME users are endless. We hope that through the following dialogue, we can provide some safety reference guidelines for users, which do not constitute any investment advice and are for learning and communication purposes only.

Q2: Common Risks When Trading MEME on EVM Public Chains and Solana Network

CertiK Security Team: MEME risks can be divided into two categories: on-chain risk scenarios and general risks unrelated to blockchain technology.

Before introducing specific on-chain risk scenarios, let's first discuss general risks, which mainly include five categories: extremely low token issuance costs, easy price manipulation, high centralization of projects, significant trading friction for investors, and Rug Pull scams.

1. Extremely Low Token Issuance Costs

Generally speaking, the technical development required to launch a MEME project is extremely low or even nonexistent, leading to the emergence of one-click token issuance tools like PandaTool. Due to the extremely low development costs, internal personnel and early investors of the project can obtain tokens at a very low cost. Coupled with the fact that MEME projects have no real fundamentals, once the market no longer experiences "FOMO" (Fear of Missing Out), these low-cost tokens can be rapidly sold off, causing significant losses for later investors.

2. Easy Price Manipulation

The price of MEME is easily manipulated, partly due to its lack of substantial technical support, intrinsic value, and low issuance thresholds, allowing anyone to easily create and issue MEME, resulting in a market flooded with highly speculative tokens.

At the same time, MEME typically relies on social media and online trends to drive its price, which can easily be manipulated by large holders or organized groups. These speculators can manipulate prices through large buy or sell orders, as well as creating false information and market noise, causing severe price fluctuations and attracting more retail investors to chase or panic sell, further exacerbating the potential for price manipulation.

3. High Centralization of Projects

MEME projects often lack decentralized governance mechanisms, with decision-making power concentrated in the hands of a few developers and core team members, making project direction and management susceptible to personal interests, increasing investor risk. Based on centralized decision-making, there may also be various centralization risks such as control over token contracts and programs, centralization of token holdings, and centralization of liquidity control.

4. Significant Trading Friction for Investors

MEME trading has significant friction, primarily due to poor liquidity. With relatively few participants trading MEME and insufficient trading volume, this leads to a large bid-ask spread (the difference between the buying and selling prices), increasing trading costs. Additionally, MEME tokens with poor liquidity can experience severe price fluctuations during large trades, further increasing trading risks and costs. Investors often have to bear higher slippage and significant price impacts when buying or selling, leading to inefficient trading and increased costs.

Secondly, this is attributed to the "transaction tax" mechanism. Many MEME projects charge a certain percentage of transaction tax on each trade to incentivize investors to hold or maintain project funds. These taxes are typically used for token buybacks, rewarding holders, or supporting project development. However, this transaction tax increases trading costs, making frequent trading more expensive. Traders must pay additional taxes each time they buy or sell, exacerbating trading friction and further reducing liquidity. Investors must bear higher fees and risks when trading MEME.

5. Rug Pull Scams

MEME is prone to becoming a target for Rug Pull scams due to its high anonymity, lack of transparency, and regulation. Here are several common methods of Rug Pull and their manifestations:

1) Liquidity Pull:

Method: The development team creates a liquidity pool on a decentralized exchange (DEX), adding tokens and mainstream cryptocurrencies (such as ETH, USDT, etc.) to the pool. After attracting enough investors, the development team suddenly withdraws all liquidity, rendering the tokens untradeable.

Manifestation: Investors find they cannot sell the tokens, the token price rapidly drops to zero, and the liquidity pool shows almost no remaining funds.

2) Developer Dumping:

Method: Project parties or early holders possess a large number of tokens. When market demand is inflated, they sell off most or all of their tokens in a short period, causing a price crash.

Manifestation: Large sell orders appear in transaction records, the token price plummets, market confidence collapses, and trading volume rapidly decreases.

3) Fake Projects:

Method: Malicious actors create a fake MEME token project, fabricating false visions and roadmaps, attracting investors through social media and celebrity endorsements. Once they raise enough funds, they shut down the project and abscond with the money.

Manifestation: The project website and social media accounts suddenly disappear, the development team becomes unreachable, and the value of tokens in investors' accounts rapidly depreciates.

4) Contract Exploits:

Method: The development team intentionally leaves backdoors or vulnerabilities in the smart contract, allowing them to manipulate the contract under specific conditions to steal investors' funds.

Manifestation: Token trading behaves abnormally or suddenly stops, investors cannot transfer or sell tokens, and the contract address shows large amounts of funds transferred to unknown accounts.

5) Fake Forks:

Method: Claiming to upgrade or fork the original token, requiring holders to exchange old tokens for new ones, is actually a scheme to collect and possess these old tokens.

Manifestation: Old tokens lose value, the so-called new tokens cannot be traded on any exchange, and the project team goes dark.

Next, we will introduce common on-chain risks when users trade MEME on EVM public chains and the Solana network. To facilitate a more direct comparison of risk type differences for users, we will share in tabular form.

Image Source: CertiK Security Team

OKX Web3 Wallet Security Team: EVM public chains and Solana are the preferred networks for users trading MEME, and there are differences in on-chain risk types between the two, related to factors such as their token issuance mechanisms.

First, EVM Public Chains. Due to the high degree of freedom in token issuance on EVM public chains and the fact that token content is implemented by developers, common on-chain risks when trading MEME on EVM public chains mainly include two categories:

(1) MEME with Malicious Logic

When a hot MEME appears in the market, various malicious tokens pretending to be popular MEMEs emerge. These types of malicious tokens usually have good trading data, misleading users into misjudging and trading malicious tokens, resulting in losses. Currently, common malicious tokens mainly include two types:

1. Pi Xiu Scheme: Tokens that can only be bought and not sold. These types of malicious tokens usually set a 100% tax rate or special transfer restriction logic, preventing users from selling the tokens.

2. Malicious Rug Pull Tokens: Tokens that have hidden issuance logic. These types of malicious tokens hide issuance logic and then issue tokens to deplete token liquidity.

(2) Malicious Actions by Project Parties

Currently, malicious actions by project parties mainly include two types: abuse of privileged functions and direct dumping.

1) Abuse of Privileged Functions: Project parties use privileged functions, such as the mint function, to issue more tokens and dump them.

2) Direct Dumping: Project parties directly use their held tokens to dump.

Second, Solana Chain. It is worth noting that token issuance on the Solana network is done through fixed official channels, so common on-chain risks when trading MEME on the Solana chain mainly come from malicious actions by project parties.

(1) Abuse of Privileged Functions

Project parties use privileged functions, such as the mint function, to issue more tokens and dump them; or use freeze commands to freeze user addresses, achieving a purpose similar to the Pi Xiu scheme, preventing users from selling.

(2) Direct Dumping

Project parties directly use their held tokens to dump. It is important to note that some malicious MEME project parties may distribute held tokens to evade scrutiny of concentrated token holdings.

Q3: What Dimensions or Tools Can Initially Filter Out Highly Risky MEME Projects?

CertiK Security Team: This does not constitute any investment advice, but we will introduce some commonly used tools that cannot 100% filter risks for users, providing a reference for users to initially judge whether a MEME carries high risk.

1) dune.com: A data analysis platform that allows users to customize queries to analyze and monitor on-chain data of tokens. It is quite flexible but relatively complex to use, requiring a certain learning curve.

2) Dextools.io: A token information integration platform where users can view basic information about tokens, such as market capitalization, liquidity status, number of holders, token distribution, etc., and can also perform some simple security risk screening.

3) Skyknight MemeScan: A new platform launched by CertiK that provides solutions for assessing the security status of MEME. This platform offers real-time insights and on-chain behavior analysis, including contract minting analysis, transaction control detection, ownership concentration analysis, liquidity control assessment, and more.

OKX Web3 Wallet Security Team: There is no way to 100% filter risks, but from the perspective of token security and project health, we provide several dimensions that can initially filter out highly risky MEME projects. It is important to note that users should not solely rely on the following dimensions to judge the security of a project.

1) Smart Contract Security: Users can use auxiliary tools to verify whether there are source code-level security issues. These tools can check for malicious logic in the project code and identify security vulnerabilities in the code itself. Additionally, it is necessary to assess the contract's permission control to ensure that the contract owner's permissions are not excessive, avoiding the ability to arbitrarily mint or burn tokens.

2) Token Distribution and Holding Distribution: Users can check the distribution of token holders through blockchain explorers, avoiding participation in projects with overly concentrated token holdings, as these projects are prone to manipulation and have a higher risk of Rug Pull.

3) Liquidity and Trading Activity: Users should observe the trading volume and price fluctuation of tokens; low trading volume and high volatility may indicate project instability or manipulation risks.

4) Community and Development Team Activity: Whether the project team is open and transparent, including the backgrounds, experiences, and social media activities of team members.

Currently, the OKX Web3 wallet also provides users with the ability to filter risky tokens, filtering out tokens that may cause user losses from multiple aspects such as code security and transaction security, while providing various dimensions of token information to ensure a safe trading experience for users in MEME.

Q4: What Limitations or Risks Currently Exist for Launchpad Platforms and DEX as Early Circulation Venues for MEME Tokens?

CertiK Security Team: First, Launchpad platforms and DEX must have strong technical support to handle the trading response speed and scale of MEME projects. Additionally, liquidity is also a crucial aspect; relevant platforms need to monitor any events that may affect liquidity security. Finally, regarding the compliance risks of MEME, platform parties must understand and implement relevant regulatory policies and requirements to reduce potential legal risks.

OKX Web3 Wallet Security Team: Next, we will introduce the limitations or risks that currently exist for Launchpad platforms and DEX.

For Launchpad platforms, there are mainly three points:

First, the quality of projects launched on the platform varies greatly. Although some Launchpad platforms conduct reviews and due diligence, they may still fail to fully identify high-risk or low-quality projects.

Second, there is a risk of fund management. Launchpad platforms typically manage large amounts of user funds centrally, and if these funds are mismanaged or maliciously misappropriated, it could lead to user losses. Additionally, platforms may lack sufficient safeguards to protect user funds.

Third, market manipulation. Project parties or large capital players may manipulate prices after a Launchpad launch, causing severe market fluctuations that affect retail investors.

For DEX, the limitations are relatively more numerous.

First, insufficient liquidity. Newly listed MEME tokens usually have poor liquidity on DEX, easily leading to large trading slippage and severe price fluctuations.

Second, smart contract vulnerabilities. DEX relies on smart contracts for trading, and if these contracts have vulnerabilities, they may be exploited by hackers, resulting in financial losses.

Third, high transaction fees, especially on networks like Ethereum, where transaction fees (Gas fees) can be very high, affecting the cost-effectiveness for small traders.

Fourth, malicious project parties. Anyone can deploy tokens and list them for trading on DEX, and some project parties may intentionally leave backdoor functions in the contract, allowing them to manipulate token balances or prevent users from selling tokens.

Fifth, user experience issues. The operations of DEX can be relatively complex for ordinary users, involving wallet connections, Gas fee settings, etc., making the experience less favorable compared to centralized exchanges (CEX).

Q5: Follow-up Question: Does the Use of Telegram Bots Represent One of the Practical Expressions of Intent-Based Interaction in the Cryptocurrency Field, Indicating a Trend for the Future Development of DEX?

CertiK Security Team: Telegram bots can significantly lower the barriers to trading and automate some steps in the trading process, making it easier for non-professionals to engage in cryptocurrency trading. However, it is crucial to pay special attention to the specific security risks of these bots. It is recommended to conduct comprehensive security due diligence on any third-party dApp that interacts with wallets to ensure their security.

OKX Web3 Wallet Security Team: The application of Telegram bots in the cryptocurrency field demonstrates the immense potential of intent-based interaction. This trend is expected to drive the future development of decentralized exchanges (DEX) by optimizing user experience, enhancing trading convenience and security, expanding the financial services ecosystem, and fostering technological innovation.

1. Enhancing User Experience

Simplifying Operations: Telegram bots utilize natural language processing, allowing users to trade using simple chat commands, simplifying complex operational processes.

Automated Trading: Users can set automated trading rules, such as stop-loss and take-profit points, reducing the risks and time costs of manual operations.

2. Enhancing Decentralized Trading

Seamless Integration: Bots integrate with decentralized exchanges (DEX) through API interfaces, hiding complex trading operations and lowering users' learning costs.

Real-Time Operations: Bots can monitor market dynamics in real-time and notify users instantly, enabling them to make quick trading decisions and execute trades.

3. Improving Security

Smart Contracts: Bots use smart contracts to ensure transparency and security in transactions, reducing the possibility of human intervention and fraud.

Decentralization: Although bots may be centralized, actual trading occurs in a decentralized environment, enhancing the security and transparency of transactions.

4. Expanding Ecosystem

Multi-Functional Platform: Telegram bots are not limited to trading; they can also extend to asset management, lending, staking, and other financial services, providing a one-stop financial solution.

Enhancing Community Interaction: Through the Telegram platform, bots can facilitate user communication and community building, increasing user engagement.

5. Driven by Technology and Market

Innovation-Driven: Advances in artificial intelligence and blockchain technology will make bot applications increasingly intelligent and efficient, driving the emergence of more decentralized applications and services.

Market Acceptance: The growing demand from users for simplified and automated services will drive more DEX to adopt bot services to enhance competitiveness.

Q6: Current Security Risks of High-Frequency Tools, Such as Various Telegram Bots

CertiK Security Team: With the development of the cryptocurrency market, Telegram bots have become increasingly common in trading and information acquisition. However, these frequently used tools also pose significant security risks, and users should pay special attention to the following aspects when using them.

First, many Telegram bots have not undergone security audits or have their code publicly available, which may contain malicious code or vulnerabilities. These malicious bots may steal users' private keys, identity information, or other sensitive data. Additionally, malicious bots may disguise themselves as legitimate services, using phishing attacks to lure users into entering their private keys or seed phrases, thereby stealing funds. Therefore, users should ensure they only use officially recommended or verified bots and avoid clicking on unknown links or entering sensitive information.

Second, some bots may request excessive permissions, such as access to users' contacts, files, or other private information. Users should be cautious when granting permissions, ensuring that bots only obtain the minimum permissions necessary for their normal operation. At the same time, communication between bots and Telegram servers may be intercepted by man-in-the-middle attacks, leading to data leakage or tampering. Users should ensure they use bots with encrypted communication and check the implementation of their secure communication protocols.

Third, many Telegram bots offer automated trading functions, but if the trading logic of these bots has vulnerabilities, it may lead to significant financial losses. Users should conduct thorough testing before using such functions and monitor trading behavior to prevent abnormal situations. Additionally, bot developers may collect and store large amounts of user data, and if this data is leaked or misused, users' privacy will be severely threatened. Users should choose bots with good reputations and privacy policies and regularly review their privacy protection measures.

Finally, excessive reliance on certain bots for trading or asset management may lead to users being unable to operate normally if the bot service is interrupted or shut down. Therefore, users should avoid over-reliance on a single bot and prepare backup plans. By understanding and preventing these risks, users can use Telegram bots more safely, protecting their assets and privacy.

OKX Web3 Wallet Security Team: Similar Telegram bots provide convenient services but also bring significant risks. Next, we will illustrate with examples.

First, the risk of centralized custody of private keys. Most Telegram bots require users to entrust their private keys for active signing and sending transactions. This means that users' private keys are stored on third-party servers, increasing the risk of theft or misuse.

Second, phishing risks. Phishing links sent through Telegram bots may entice users to click, leading to the theft of account information or private keys. Additionally, human inducement in chat windows (e.g., impersonating customer service) may trick users into revealing their seed phrases or other sensitive information.

Third, Trojan risks. Some bots may infect users' devices by sending malware (Trojans) or malicious SDKs, jeopardizing the security of the entire system.

In summary, users should be cautious when using various bots, carefully discern, avoid clicking on unfamiliar links, and never disclose their private keys.

Q7: User Trading MEME Operational Misconceptions and Risk Prevention

CertiK Security Team: First, for any dApp that interacts with their wallets, including trading platforms and Telegram bots, users should conduct security due diligence. Choosing dApps that have undergone security audits can reduce the risk of being attacked during operations and ensure the safety of their private keys and identity information. Currently, CertiK helps users reduce risks by providing penetration testing services for dApps.

Second, MEME trading highly depends on the response speed and frequency of transactions, so choosing a stable platform with reasonable transaction fees is crucial. When trading, users should opt for platforms that are safe, stable, fast, and have lower transaction fees to achieve a better trading experience. For example, the MemeScan platform launched by CertiK can provide real-time security status information, including on-chain behavior analysis of MEME. For instance, contracts can mint new tokens, transactions can be paused or restricted, a few addresses control most tokens, and a few addresses control most liquidity, which we hope can provide some assistance for users' safe trading.

OKX Web3 Wallet Security Team: Considering security, users need to be aware of safe operations and risk prevention when trading MEME to ensure the correctness and safety of transactions.

First, choose the right trading platform. Users should select reputable and highly secure cryptocurrency exchanges, avoiding unverified or unknown trading platforms to mitigate the risk of asset theft. For on-chain transactions, confirm the official website of the project and the correctness of the contract.

Second, enable higher security authentication methods. For added security, users can enable two-factor authentication on all trading platforms and wallets, using Google Authenticator or other security applications. It is advisable to avoid SMS verification, as it is susceptible to SIM swap attacks.

Third, use highly secure wallets. Users should use verified wallets for trading and ensure they securely back up their seed phrases or private keys, storing them in a safe place and avoiding electronic backups. Failing to back up private keys or seed phrases will result in the inability to recover assets if the device is lost or damaged.

Fourth, prevent phishing. Users need to constantly verify the URLs used for transactions to ensure they are official links. When encountering issues, ensure that the customer service contacted is official, ignore private messages in Telegram, Discord, etc., and never click on unknown links, sign unknown content, or display private keys.

Fifth, ensure a secure network environment. Users should operate under a trusted operating system and avoid using public wireless networks.

Finally, thank you all for reading the OKX Web3 Wallet "Safety Special Edition" No. 02. We are currently preparing the content for No. 03, which will include real cases, risk identification, and practical safety operations. Stay tuned!

Disclaimer:

This article is for reference only and does not intend to provide (i) investment advice or investment recommendations; (ii) offers or solicitations to buy, sell, or hold digital assets; or (iii) financial, accounting, legal, or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks, may fluctuate significantly, and may even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. You are solely responsible for understanding and complying with applicable local laws and regulations.