In-depth discussion: How to prevent security risks in on-chain transactions? Evaluation dimensions for listing on exchanges and project risk identification

Author: Wu Shuo

We invited Tommy, a researcher from Bitget, and Lisa, the operations head of the Slow Mist security team, to discuss the risk assessment of listing coins on exchanges, on-chain security issues, and how investors can protect their assets. The two guests shared their experiences in evaluating new projects, monitoring listed tokens, and dealing with hacker attacks, while also discussing the security risks that investors and institutions need to pay attention to in the current cryptocurrency market and how to leverage new tools to enhance security.

Opening Introduction

Tommy:

Hello everyone, I am a researcher at the cryptocurrency exchange Bitget, where I have worked for two and a half years. Bitget started with a team of only two or three hundred people, primarily focusing on contracts and copy trading. Now, it has developed into a comprehensive cryptocurrency trading platform with a contract product market share of nearly 27%, over 30 million monthly visits, and more than 25 million registered users across over 100 countries and regions.

In my more than two years of work experience, I have hardly created any PPTs except for organizing sharing sessions for VIP clients. Our team always emphasizes efficiency and results rather than formal presentations and cumbersome reports. The members of our research team have diverse skills, including top talents proficient in designing and implementing DeFi products and experts with deep experience in on-chain data analysis.

Lisa:

Hello everyone, I am Lisa, the operations head of Slow Mist. Slow Mist is an industry-leading blockchain security company with rich experience in both on-chain and off-chain security, as well as many years of experience in threat intelligence. Slow Mist mainly provides integrated security solutions tailored to local conditions, such as security audits and anti-money laundering tracking and tracing services. The name "Slow Mist" comes from "The Three-Body Problem," where the Slow Mist Zone is a safe area, symbolizing that Slow Mist is a safe zone in the dangerous "dark forest" of blockchain. We have also established a white hat community called "Slow Mist Zone," which currently has over 300,000 participants.

How to Conduct Risk Assessment Before Listing Coins? Are the Evaluation Strategies Different for Emerging Projects and Well-Known Projects?

Tommy:

The risk assessment at Bitget is led by the research institute, with assistance from the audit and risk control teams. First, we conduct a comprehensive review of the project's sector, team background, and funding history. If the project involves Bitget's risk control red lines, such as gambling, drugs, or politically sensitive factors, we will directly reject it. Additionally, projects that are being sued by the SEC or have negative reputations will also be rejected. For example, Pulsechain (PLS) was highly popular before its TGE, but due to its disputes with the SEC and negative evaluations, we also temporarily declined cooperation.

Secondly, we assess the project's token economic model, FDV at launch, and initial circulating market value. If these values are too high, we may refuse or request adjustments, as projects with high market values and low potential often leave retail investors holding the bag. Recently, we have seen some VC coins with good funding drop by 90% after listing; we will also avoid such tokens in the future. However, predicting the future performance of a project or token is inherently difficult; we can only try to minimize traders' losses through methodology.

For non-initial projects, especially the recently listed memecoins, we pay special attention to contract risks, token concentration, and the locking status of LP pools. We are more cautious with emerging projects, but we also embrace innovation. For example, when Bitget first listed UNIBOT, it retained certain contract permissions like "modifiable trading tax" and "black/white list mechanisms" due to its design needs, which posed certain drawbacks. However, after analyzing the Unibot revenue model, our research team believed the project had sustainable development potential and no reason for a rug pull, ultimately leading to a firm listing that provided traders with impressive returns. Another example is ORDI, where we judged that the innovation of BRC-20 could reactivate the Bitcoin ecosystem and gain support from the miner community.

How to Evaluate VC Coins and Community Coins? What Are the Differences Between the Two?

Tommy:

From a business-oriented perspective, Bitget's core goal is to provide users with a rich selection of assets and investment opportunities while keeping risks under control. Some VC coins generate a lot of buzz during their TGE, but upon evaluation, we find that their concepts or token economic designs are insufficient to support their FDV. However, if we do not list these tokens, it may raise questions among users, especially when retail and large clients believe we should provide such options. Whether users choose to buy is their decision, and we need to offer that opportunity. For tokens with higher market caps, we usually launch contracts on the same day or the next day for traders to go long or short.

Internally, for high-traffic, high-potential projects, we give them S-level treatment. If a project has high traffic and strong funding but lacks a solid product or community performance, we downgrade it to A-level. Although A-level projects are not promoted as strongly as S-level ones, from the exchange's perspective, these projects are still worth listing.

How to Continuously Monitor Project Performance and Risks After Listing?

Lisa:

Compared to a complete public chain audit or smart contract audit, when assisting exchanges with coin listing assessments, Slow Mist focuses more on asset security threats. Technical considerations are paramount. For example, we review the security of the source code to ensure it is continuously maintained and updated. We pay attention to the randomness security of private keys, ensuring that a reliable random number source is used, while also checking the security of cryptographic algorithms to confirm that they have undergone industry reviews and that the cryptographic components are mature and reliable. We also place great importance on the risks of economic models, such as potential Ponzi schemes or death spirals. Of course, team risk is also critical, especially whether there are special permissions or excessive token concentration, which could lead to risks of exit scams or price dumps.

Exchanges often become targets for hacker attacks, and they typically place servers behind defensive systems, with core services managing funds even requiring offline custody. However, due to the strict requirements of blockchain systems for data integrity, some malicious transactions may bypass the outer security systems, leading to false deposit issues. Common false deposit attack methods include fake coins, especially when exchanges have loopholes in their judgment logic for trading certain coins. Attackers may construct false deposit transactions, causing the exchange to mistakenly believe they are legitimate deposits, thus crediting users' accounts. Additionally, using the RBF feature in the Bitcoin protocol for false deposits is also a common tactic, where attackers pay higher fees to replace previous transactions, leading to misjudgment by the exchange and resulting in asset losses.

It should be noted that false deposit attacks are not vulnerabilities of blockchain but rather a way for attackers to exploit certain characteristics of blockchain to construct special malicious transactions. To prevent false deposit attacks, manual reviews can be implemented, especially for large or high-risk transactions. Additionally, ensuring the security of external API interfaces through security authentication and regular reviews can effectively avoid unauthorized access and potential vulnerabilities.

Tommy:

After a project is launched, if risks arise, the market reacts more quickly. Bitget will immediately discuss whether to urgently delist the project and take measures to protect users. We continuously monitor the performance of all listed tokens and have recently begun to strengthen management in this area, with more ST (Special Treatment) tokens likely to appear in the future.

If these ST tokens fail to improve their fundamentals or liquidity within the specified period, we will consider delisting them. Many projects perform poorly after listing, and the project parties may "give up," no longer actively promoting the project, leading to a deterioration of market depth. Retail users may encounter significant slippage when buying and selling, severely affecting user experience. We are actively working to address this issue.

In terms of mitigating token risks, we focus more on completing our work before listing. During the first wave of meme token hype, Bitget rejected many high-risk meme tokens, such as those with unreasonable distribution methods, excessive holdings by project parties, and falsified on-chain holding address data. Even if the project parties offered to pay listing fees, we still refused to list.

What Typical On-Chain Security Incidents Has Slow Mist Handled?

Lisa:

Since Slow Mist was established, we have handled numerous on-chain security incidents. Here, I will share two types of case examples: one is an incident where the project party was attacked, and the other is a case of individual user theft.

The first is the Poly Network incident in 2021, which was one of the largest attacks at the time, involving losses of up to $610 million. After the incident occurred, Poly Network released a message about the attack around 8 PM that evening, and by around 9 PM, Tether promptly froze some USDT on the hacker's address. Around 11 PM that night, we discovered some identifying information and IP addresses of the attacker and began tracking the flow of funds. The next afternoon, the hacker started returning the funds. This incident was a milestone for Slow Mist. From this event, we developed a set of emergency warning and defense processes, including rapid response and on-chain anti-money laundering measures to reduce losses and secure assets.

Another type of case involves individual user theft. In February of this year, a user contacted us claiming they had been stolen from. The hacker disguised themselves as a journalist from a well-known media outlet, guiding the victim to click on a link containing malicious scripts, ultimately stealing the victim's account permissions and funds. After being stolen, the victim contacted us and publicly shared their experience. After discovering that the funds had been transferred to a certain exchange, we immediately contacted that exchange for a temporary freeze. Although the case filing process was complex, ultimately, three and a half months later, the victim successfully recovered the stolen funds. This was the first case in Taiwan's judicial history where, without specific suspect information, funds were frozen and returned to the victim through tracking analysis and proof of wallet ownership, assisting law enforcement agencies.

Through these cases, I would like to share some experiences. If unfortunately stolen, the first step is to stop the loss promptly and check if there are any opportunities for recovery. For example, if authorization was stolen, promptly revoke the authorization; if private keys or mnemonic phrases were stolen, immediately transfer the remaining assets; if the PC is infected with malware, disconnect from the internet immediately but do not shut down to facilitate subsequent evidence collection, change the passwords of all platforms saved on the computer, and replace the wallet. Record the timeline of the theft and detailed descriptions, seek help from third-party security teams, and request assistance from law enforcement after filing a case. These measures are all important steps to protect personal assets.

How to Determine if a Token Contract or Interactive Project is Safe?

Lisa:

The simplest way is to check the code. However, if you do not understand technology, as a novice or someone not well-versed in technology, you can learn about some classic phishing or scam cases to recognize their characteristics and forms to enhance vigilance. Pay special attention to traps in projects, such as fake tokens that can only be bought and not sold. When evaluating projects, be aware that high returns usually come with high risks. Investigating whether the team is transparent and whether members are well-known can reduce the likelihood of encountering exit scams or fraud. Additionally, checking if the code has undergone security audits is also a safeguard. It is recommended to participate in leading projects as they usually have compensation plans even if attacked, which relatively ensures asset security.

Tommy:

I believe most ordinary players may not have the ability or time to check code security. The simplest method is to use some reliable third-party tools, such as GoPlus, which supports many chains, especially EVM chains. Solana users can try RugCheck and gmgn ai, which can help detect token risks. When trading tokens on-chain, some tokens may not have published contracts or retain the authority to modify trading taxes, which can lead to undesirable behaviors, such as project parties adjusting the sell tax rate to 99% or 100% after a large influx of funds, which is also a scam.

In addition, non-custodial wallets like Bitget Wallet now also have built-in risk alert functions, which notify users when trading high-risk tokens, making it very user-friendly for novices. For friends participating in DeFi investments, in addition to well-known projects, I also pay attention to the project's TVL. If a project's TVL exceeds $50 million, I might consider participating, but I need to check whether this is due to multiple users' contributions or just one or two large wallets. Large pools with TVL exceeding tens of millions of dollars are generally easier to resolve issues even if moral hazards occur.

What On-Chain Operation Security Recommendations Are There for Ordinary Users and Institutional Users?

Tommy:

For ordinary users, my recommendations are as follows: First, carefully verify the authenticity of the website's URL when visiting. Second, when authorizing tokens, avoid unlimited authorization and promptly revoke contract authorizations for small projects. If not participating in DeFi operations, choose centralized exchanges with proof of reserves for simple investment operations. For Bitcoin holders, using a hardware wallet is a good choice.

For institutional users, they usually have a better understanding of security measures, but it is still recommended to use multi-signature wallets and strictly manage permissions. In the event of a security incident, timely remediation is essential to avoid neglecting early small issues, as these can lead to larger losses. Hiring professional security personnel for security audits and assessments is also very important, such as collaborating with security agencies for penetration testing.

Lisa:

When it comes to on-chain operations, wallet security is key. Theft of wallet assets usually falls into three categories: theft of private keys or mnemonic phrases, phishing for authorized signatures, and tampering with the target address for transfers.

The focus of preventing theft of private keys and mnemonic phrases is to avoid using fake wallets. Many users obtain wallets through search engine ads or third-party download sites, which pose risks of private key and mnemonic phrase theft. Additionally, malicious browser extensions may also steal user authentication information and sensitive data. It is recommended that users only install extensions from trusted sources, use different browsers to isolate plugins for browsing and fund transactions, and regularly use antivirus software to check their devices.

Regarding phishing, the most common method is blind signing, where users sign without understanding the content. Especially in offline signing, users often believe that signing does not go on-chain and does not consume gas, leading to complacency and resulting in fund theft. The authorization traces of offline signing are only visible in the attacker's address, making it difficult for victims to detect.

The core of preventing on-chain operational risks lies in domain names and signatures. Users are advised to achieve "what you see is what you sign" and refuse blind signing. If you do not understand the signing content, it is best to abandon the operation. Additionally, installing antivirus software, enabling two-factor authentication, and being cautious when clicking on unknown links can also enhance account security. Finally, improving security awareness through learning from cases is crucial. Do not act impulsively due to emotional urges; verify multiple sources when in doubt to ensure safety. "The Dark Forest Self-Rescue Manual for Blockchain" by Slow Mist founder Yu Xian is highly recommended.

What Common Security Risks Are There in Trading Memecoins?

Tommy:

For presale memecoins, many traders rush in at the opening, using bots, self-written code, or platforms like gmgn ai to snipe. However, project parties may delay the opening time for various reasons, leading many to snipe fake tokens. These tokens have the same ticker name and image, and when the real token opens, there may already be four or five fake tokens ready to exit. Therefore, when participating in such high-heat presale tokens, it is essential to wait for the project party to confirm the contract launch, or else you risk being scammed.

Currently, the relinquishment of contract permissions, dispersion of tokens, and destruction of LP have become basic requirements. Meme traders are very strict about these requirements; once they discover that suspected internal personnel of the project party have bought in early, others are unwilling to participate.

In addition to these basic requirements, I believe the liquidity of the LP pool should reach at least $300,000 to $500,000, which is the minimum standard. Small pools have a high risk of rug pulls and limited returns. Additionally, the FDV at TGE should not be too high. If a memecoin has low on-chain trading volume and low social media discussion heat but has an FDV in the tens of millions, it is very suspicious.

Moreover, many memecoin developers not only release one token but also multiple tokens simultaneously. If a developer has previously released multiple rug memecoins, the likelihood of them rug pulling again is also high. Therefore, everyone should remain vigilant about new projects from these developers.

Lisa:

When rushing memecoins on Ethereum and Solana chains, there are some different on-chain risks. EVM series public chain tokens have higher freedom of issuance, and the logic of the tokens is implemented by developers; whereas Solana issues tokens through official channels, so their on-chain trading risks differ.

Common risk types include malicious tokens and rug pull tokens. For example, some memecoins have high discussion rates, but when users want to sell, they find their addresses blacklisted and cannot sell. These tokens typically restrict transfers through special logic, preventing users from selling their tokens. Additionally, rug pull tokens may contain backdoor logic for large token issuance, allowing project parties to conduct malicious operations through privileged functions or freezing user addresses.

What New Technologies and Tools Can Help Users Enhance On-Chain Security?

Lisa:

At the beginning, we mentioned Scam Sniffer, which is a very useful phishing risk blocking plugin that I personally use. Additionally, their authorization management tool is also worth recommending. Revoke.Cash is another classic tool for revoking and checking authorizations. Furthermore, the antivirus software we mentioned, such as AVG and Kaspersky, are also reliable choices.

In addition to these authorization and phishing blocking tools, GoPlus is also an excellent tool that can effectively detect PiXiu pools and PiXiu coins, which I highly recommend. There are also some tools related to local devices, such as the well-known password manager 1Password and 2FA authentication tools. Although backups are needed to prevent loss, their security far exceeds that of not using two-factor authentication.

Additionally, I would like to specifically recommend Slow Mist's MistTrack anti-money laundering tracking system. We have launched a black U detection tool based on MistTrack, allowing users to input transaction addresses to check their scores, helping to identify and avoid money laundering risks.

These tools can help enhance on-chain security, but they cannot guarantee absolute safety. New versions may have bugs or even backdoors. Therefore, I recommend that everyone maintain independent thinking when using these tools, practice the zero-trust principle, and continuously verify. Remember that there is no absolute security; this mindset is crucial.

What Aspects of the Crypto Industry Do You Think Need Strengthened Security Measures?

Lisa:

The crypto industry cannot ignore security issues; a single mistake can lead to losses of millions of dollars, resulting in project paralysis or personal bankruptcy, with various fields facing the risk of hacker attacks. Based on the security barrel effect, strengthening security measures is a holistic need because every link—including users, project parties, and supply chains—is crucial. There can be no security shortfalls in any part; any oversight in one link can disrupt the entire security loop, requiring a combination of technical defenses and human defenses for complete systematic protection.

First, there is a need to enhance users' security awareness. Slow Mist provides a theft/scam submission system where users can submit relevant information after being stolen or scammed, and we will provide free fund tracking and community assessments for them. Through this feedback, we have found that many users' security awareness needs improvement. They often overlook security events and alerts, getting caught up in FOMO emotions and lacking understanding of common attack methods.

Both project parties and individual users need to understand common attack methods and develop emergency plans in advance so that they can promptly locate and control problems when losses occur. At Slow Mist, we spread security knowledge through "The Dark Forest Self-Rescue Manual for Blockchain" and Twitter, but many users are more focused on funds and are unwilling to delve into security issues. This requires joint efforts from all parties to provide better protection for users' funds.

Recently, there have been many phishing comments impersonating project parties on Twitter. Engineers from SpaceX have launched a new feature that allows users to disable links in replies, which is an effective security measure that can significantly reduce the risk of phishing. These are all positive developments in the industry, and we hope to see more such security services in the future to help users enhance their risk prevention capabilities.

Tommy:

As a practitioner, user, and player, I hope that tool products can continue to improve, reducing my concerns about security issues. I expect these tools to provide timely alerts when risks arise, or even directly prevent potential dangerous operations. This approach is more user-friendly, and I believe the user experience of Web3 will ultimately reach or even surpass the current level of Web2.

Only when more and more users from outside the circle can smoothly integrate into the crypto field can this industry truly develop and grow. The improvement of these infrastructures can not only help users resist risks but also provide a better experience for new users entering the circle, avoiding negative feelings towards the entire industry due to being scammed.