Dialogue with Slow Fog: Current Status of Web3 Security, Response Strategies, and Entrepreneurial Prospects

According to Cyvers' report summarizing key security trends for 2024, the number of Web3 network threats has surged this year, with a total of 165 security incidents resulting in financial losses exceeding $2.3 billion, a 40% increase compared to 2023 ($1.69 billion, adjusted for market factors). Among these, access control-related incidents (67 cases) accounted for 81% of the $2.3 billion loss, approximately 98 smart contract vulnerabilities led to a total loss of $456.3 million, and one address poisoning incident caused losses of over $68 million. However, compared to 2022 ($3.78 billion), the losses from security incidents in 2024 decreased by $1.48 billion (a 40% drop), with $1.3 billion of stolen funds being recovered. If Web3 is a dark forest shrouded in mist, there are hunters lurking, waiting to strike, as well as experienced security personnel and heroes who clear the fog and expose evil. SlowMist Technology, featured in this issue of Starlabs Consulting's "Disruptors Unplugged," belongs to the latter two categories.

SlowMist Technology is a company focused on blockchain ecosystem security, established in January 2018. It primarily serves many leading or well-known projects globally through "integrated security solutions tailored from threat detection to threat defense." It has developed into a leading international blockchain security company, with thousands of commercial clients from over a dozen countries and regions. Its security solutions include security audits, threat intelligence (BTI), defense deployment, and are complemented by SaaS-based security products such as cryptocurrency anti-money laundering (AML), vulnerability scanning for fake top-ups, security monitoring (MistEye), hacked archives (SlowMist Hacked), and smart contract firewalls (FireWall.X). SlowMist has independently discovered and disclosed numerous common high-risk blockchain security vulnerabilities in the industry, gaining widespread attention and recognition.
Below are the highlights from this issue of "Disruptors Unplugged."
Key Points of this Article:

• Smart contract vulnerabilities, private key leaks, social engineering attacks, and supply chain attacks are currently common and serious security threats in the Web3 ecosystem, continuously challenging the industry.
• Security is a dynamic management process. Third-party security audits can guide project teams to implement security practices in the short term, but they cannot truly ensure the long-term safe and stable operation of projects. Therefore, establishing and improving one's own security system is crucial.
• Currently, MistTrack has accumulated over 300 million address labels, more than 1,000 address entities, over 500,000 threat intelligence data points, and over 90 million risk addresses, all of which provide strong protection for ensuring the security of digital assets and combating money laundering crimes.
• The explosive growth of Web3 has brought a large number of new projects and users, but frequent security incidents have led to a continuous increase in market demand for professional security services. At the same time, more and more projects are beginning to emphasize the combination of security and compliance, which also provides entry points for professional security service companies.

01

About the Web3 Industry
🌃 Starlabs Consulting: In SlowMist's view, what are the most serious security threats in the current Web3 ecosystem?
SlowMist: In the current Web3 ecosystem, we believe that the following types of security threats are relatively common and have a high level of severity, continuously challenging the industry. First, smart contract vulnerabilities are a widely concerned issue. Due to the immutability of smart contracts, once a vulnerability is maliciously exploited, it can lead to irreparable losses, which is also the fundamental reason for most attack incidents. Common smart contract issues include improper permission management, integer overflow, and logical errors, among others. Secondly, private key leaks are also a significant security risk. Whether for users or project teams, negligence in private key management (such as improper storage or device attacks) is a major reason for asset theft, and the security of private keys directly relates to control over assets. Additionally, social engineering attacks (such as phishing attacks, account theft, impersonation, etc.) are also common methods of wrongdoing. Due to insufficient security awareness among some users and project teams, they often become the entry point for attackers to breach defenses. Finally, there have been multiple recent security incidents involving supply chain attacks, so we believe that supply chain security is gradually becoming an important security issue in the Web3 industry. Supply chain security vulnerabilities can lead to serious consequences, as malware and code can be injected at various stages of the software supply chain, including development tools, third-party libraries, cloud services, and update processes. Once these malicious elements are successfully injected, attackers can use them to steal crypto assets, obtain sensitive user information, disrupt system functions, conduct extortion, or widely spread malware.
🌃 Starlabs Consulting: In the face of frequent attack incidents in the Web3 field, what can project teams (especially startups) do in terms of daily defense, besides collaborating with third-party security service providers like SlowMist? Please give them some advice.
SlowMist: Currently, Web3 projects face a wide variety of attack methods, and the interactions between projects are becoming increasingly complex, which often introduces new security risks. Many Web3 project development teams generally lack frontline security offensive and defensive experience. During the project development process, teams often focus more on overall business validation and functional implementation, neglecting the construction of a security system. Therefore, without a complete security system, it is difficult to ensure the security of Web3 projects throughout their lifecycle. To ensure security, project teams typically hire professional blockchain security teams for code audits. Security audits can guide project teams to implement security practices in the short term, but they cannot help project teams establish their own security systems. Based on this, SlowMist's security team has also open-sourced the "Web3 Project Security Practice Requirements" (https://github.com/slowmist/Web3-Project-Security-Practice-Requirement) to continuously help project teams in the blockchain ecosystem master security skills for Web3 projects. We hope project teams can establish and improve their own security systems based on these requirements, so that even after audits, they can maintain a certain level of security capability; those interested can search and read. We always believe that security is a dynamic management process, and relying solely on short-term audits from third-party security teams cannot truly guarantee the long-term safe and stable operation of projects. Therefore, establishing and improving the security system of Web3 projects is crucial, and project teams themselves must possess a certain level of security capability to better ensure the security and stable operation of their projects. Additionally, we recommend that project teams actively participate in security communities, learn the latest security offensive and defensive technologies and experiences, and communicate and collaborate with other project teams and security experts to collectively enhance the security of the entire ecosystem. At the same time, strengthening internal security training and knowledge dissemination to improve employees' security awareness and capabilities is also a key step in establishing a complete security system.
🌃 Starlabs Consulting: In the face of ever-evolving attack methods, how can security companies achieve "the higher the magic, the higher the way"?
SlowMist: Taking SlowMist's current response methods as an example. First, we must always maintain sensitivity to new threats, continuously monitor the latest attack dynamics, and develop customized vulnerability detection, on-chain analysis, and monitoring tools to achieve real-time protection and more efficient response capabilities. Secondly, we have a threat intelligence sharing network. By closely collaborating with industry partners and project teams, we can timely obtain the latest security intelligence, and leverage on-chain data analysis technology to track the flow of attackers' funds, helping victims recover losses as much as possible. Additionally, reverse engineering and case reviews are also indispensable parts. By deeply reviewing past security incidents and sharing Hacking Time from time to time, we continuously enhance our technical capabilities.

02

About SlowMist

🌃 Starlabs Consulting: With so much work done daily, analyzing hacker addresses, tracing funds, how much of it is commissioned and how much is for public welfare?
SlowMist: SlowMist's anti-money laundering and fund tracing services mainly come from two aspects: client commissions and public welfare services. In terms of public welfare services, we have participated in the tracking of many major public attack incidents. Regardless of whether the project team actively reaches out to us, we will follow up immediately, as this part of the work mainly stems from our sense of responsibility for the healthy development of the industry. By timely exposing hacker behaviors and analyzing attack methods, we hope to contribute to the security of the entire Web3 ecosystem. In addition, SlowMist receives numerous requests for help from victims daily, including large victims who have lost tens of millions of dollars, asking us to provide fund tracing and loss recovery services. For these cases, we offer free community assistance for case evaluations (https://aml.slowmist.com/recovery-funds.html). On the other hand, SlowMist also provides emergency response services specifically for Web3 project teams (https://cn.slowmist.com/service-incident-response.html). This service helps project teams respond quickly and effectively to risks in the event of hacker attacks or other emergencies. We will analyze the attacker's intrusion path and behavior in detail and construct a profile of the attacker both on-chain and off-chain. At the same time, we will trace the flow of stolen assets. This service includes the entire process from on-chain and off-chain intrusion analysis to fund tracing, helping project teams review security incidents and relying on SlowMist's blockchain anti-money laundering system (AML) and InMist threat intelligence network to help project teams recover as much lost funds as possible.
🌃 Starlabs Consulting: The on-chain transaction records are intricate and complex. We ordinary users find it daunting to analyze a single transaction. Do you have more efficient analysis tools and databases for the massive tracking work you handle daily? How do the tracking analysis tools you use internally differ from the MistTrack service for end users?
SlowMist: Actually, we also use MistTrack (https://misttrack.io) because it is simple, user-friendly, and comprehensive in data. Currently, MistTrack has accumulated over 300 million address labels, more than 1,000 address entities, over 500,000 threat intelligence data points, and over 90 million risk addresses, all of which provide strong protection for ensuring the security of digital assets and combating money laundering crimes. The difference is that our team has established an internal knowledge base to ensure the efficiency of tracking work.
🌃 Starlabs Consulting: When users use SlowMist's MistTrack tracking service, should they worry about personal privacy? How do you protect customer personal information?
SlowMist: There is no need to worry about this. As a security company, SlowMist naturally places great importance on privacy protection and informs users of our privacy policy before cooperation. We try to retain only the data necessary to complete the service while strictly limiting access permissions to ensure that only authorized personnel can access relevant information. All user data is transmitted and stored using strong encryption technology.
🌃 Starlabs Consulting: We noticed that SlowMist also provides security solutions for consortium chains. What are the main differences between consortium chain security and public chain security?
SlowMist: There are significant differences in security needs between consortium chains and public chains, mainly reflected in differences in network architecture, user groups, and application scenarios. For example, in terms of access control, consortium chains are usually permissioned, allowing only authenticated nodes and users to join. Consortium chains face more internal threats, such as malicious node operations, improper permission configurations, and data leaks. In contrast, public chains are open networks that face more complex and diverse security challenges, including 51% attacks, exploitation of smart contract vulnerabilities, and cross-chain bridge attacks. In terms of node security, consortium chains have fewer nodes, typically maintained by a few trusted parties, which provides a higher trust base but also comes with a higher risk of single points of failure. To improve performance, consortium chains often adopt efficient consensus mechanisms (such as PBFT, Raft), sacrificing some decentralization. In contrast, public chains have a wide distribution of nodes and a high degree of decentralization, thus relying more on consensus mechanisms to resist malicious node behavior. Public chains typically use more decentralized but lower-performance consensus mechanisms (such as PoW, PoS) to enhance censorship resistance and system openness. In terms of compliance requirements, consortium chains are usually applied in enterprise-level scenarios, thus needing to meet strict legal and regulatory requirements. When designing, security solutions need to fully consider audit and regulatory needs. In contrast, public chains operate in a more global context, facing challenges from cross-national laws and regulations, and need to balance decentralization and efficiency in security design. Based on the characteristics of these two types of chains, SlowMist provides differentiated security solutions to address their respective security challenges.

03

About the Security Industry
🌃 Starlabs Consulting: Is the Web3 security sector still a blue ocean? If a startup wants to enter this sector, or if a Web2 security company wants to expand into Web3 security business, which subfields do you think have more opportunities?
SlowMist: The explosive growth of Web3 has brought a large number of new projects and users, but frequent security incidents have led to a continuous increase in market demand for professional security services. At the same time, more and more projects are beginning to emphasize the combination of security and compliance, which also provides entry points for professional security service companies. For example, ordinary users often suffer asset losses due to phishing attacks, malware, and improper key management, so user-side security is a potential area to consider; additionally, the complexity and workload of on-chain fund tracing are enormous, and the increasing demand for anti-money laundering also points towards the direction of fund tracing and AML development. Overall, the Web3 security sector is full of challenges but also contains enormous opportunities.
🌃 Starlabs Consulting: How to assess the potential threat of quantum computing technology to existing encryption algorithms, and what strategies can be adopted in the future in the field of encryption?
SlowMist: Currently, the threat of quantum computing has not fully manifested, but in the Web3 and blockchain fields, quantum computing technology is highly dependent on the security of encryption algorithms. The encryption field can ensure the long-term security and robust development of the ecosystem through technological innovation, international cooperation, and phased strategy implementation.