We invited Tommy, a researcher from Bitget, and Lisa, the operations head of the SlowMist security team, to discuss CEX listing risk assessments, on-chain security issues, and how investors can protect their assets. The two guests shared their experiences in evaluating new projects, monitoring listed tokens, and handling hacker attacks. They also discussed the security risks that investors and institutions need to be aware of in the current crypto market and how to leverage new tools to enhance security.

Opening Introduction

Tommy: Hello everyone, I’m a researcher at the crypto exchange Bitget, where I’ve been working for two and a half years. Bitget started as a small team with just a few hundred people, primarily focused on perpetual swap and copy trading. Today, it has grown into a comprehensive crypto platform with a market share of nearly 27% in perp products, over 30 million monthly visits, and more than $560 million in quarterly capital inflows. Bitget now serves over 25 million registered users across more than 100 countries and regions worldwide.

In my over two years of experience, I’ve rarely created PPTs, except when organizing sharing sessions for VIP clients. Our team prioritizes efficiency and results over formal presentations and lengthy reports. The members of our research team have diverse skills, including top talents in designing and implementing DeFi products, as well as experts with deep experience in on-chain data analysis.

Lisa: Hello everyone, I’m Lisa, the head of operations at SlowMist. SlowMist is an industry-leading blockchain security company with extensive experience in both on-chain and off-chain security, as well as many years of expertise in threat intelligence. SlowMist primarily provides tailored, integrated security solutions from threat detection to threat defense, including services such as security audits and anti-money laundering tracking and tracing. The name “SlowMist” is inspired by the book The Three-Body Problem, where the SlowMist Zone represents a safe area, symbolizing that SlowMist is a secure zone in the “dark forest” of the blockchain world. We’ve also established a white hat community called the “SlowMist Zone,” which currently has over 300,000 participants.

How is risk assessment conducted before listing a token? Are there different evaluation strategies for emerging projects compared to well-known projects?

Tommy: At Bitget, risk assessment is led by our research department, with support from the audit and risk control teams. First, we conduct a comprehensive review of the project’s industry, team background, and funding history. If a project touches on Bitget’s risk control red lines — such as involvement in gambling, drugs, or politically sensitive issues — we will directly reject it. Additionally, projects that have been sued by the SEC or have a negative reputation will also be rejected. For example, despite the high interest in Pulsechain (PLS) before its TGE, we temporarily declined to collaborate due to its disputes with the SEC and negative feedback.

Next, we assess the project’s tokenomics, including its FDV and initial circulating market cap at launch. If these values are excessively high, we might reject the project or request adjustments. Projects with high market caps that do not match their potential often leave retail investors holding the bag. Recently, we’ve observed that some well-funded VC Coins saw a 90% price drop after listing. We aim to avoid such tokens in the future. However, predicting a project or token’s future trajectory is challenging, and our methodology focuses on minimizing traders’ losses as much as possible.

For subsequent projects, especially recently listed memecoins, we pay particular attention to contract risks, token concentration, and the locking status of the LP pools. We are more cautious with emerging projects, but we also embrace innovation. For example, Bitget was among the first to list UNIBOT. Initially, UNIBOT had certain drawbacks, such as retaining contract permissions for adjustable trading taxes and black/white list mechanisms due to the project’s design needs. However, after analyzing UnibotT’s revenue model, our research team determined that the project had potential for sustainable development and no reason for a rug pull. As a result, we confidently listed it, which brought considerable returns to traders. Another example is ORDI, where we judged that the innovation of BRC-20 could reinvigorate the Bitcoin ecosystem and gain support from the mining community.

How do you evaluate VC Coins and community-driven tokens? How do you view the differences between the two?

Tommy: From a business perspective, Bitget’s core goal is to provide users with a diverse range of assets and investment opportunities while keeping risks under control. Some VC Coins generate a lot of hype during their TGE, but our evaluations may reveal that their concepts or tokenomics aren’t strong enough to support their FDV. However, not listing these tokens could lead to user dissatisfaction, especially when both retail investors and large clients believe we should offer such options. While it’s ultimately up to the users whether to buy these tokens, we still need to provide the opportunity. For tokens with a high market cap, we usually launch perps on the listing day or the following day, allowing traders to go long or short.

Internally, we assign S-level status to high-traffic projects with significant growth potential. If a project has strong backing and high visibility but lacks a solid product or has mediocre community performance, we downgrade it to A-level. Although A-level projects don’t receive the same level of aggressive promotion as S-level ones, they are still considered worthy of listing from an exchange standpoint.

How do you continuously monitor a project’s performance and risks after it has been listed?

Lisa: Compared to comprehensive blockchain or smart contract audits, when assisting CEXs with listing assessments, SlowMist focuses more on the security threats to assets. Technical considerations are paramount. For instance, we examine the security of the source code, ensuring it is well-maintained and regularly updated. We pay close attention to the security of random number generators, ensuring that reliable sources are used, and we check the security of cryptographic algorithms, confirming that they are industry-reviewed and that the cryptographic components are mature and reliable. We also take the risks of the economic model seriously, looking out for potential issues like pyramid schemes or death spirals. Of course, team risk is also critical, particularly whether there are any special permissions or if the tokens are overly concentrated, which could lead to exit scams or market manipulation.

Exchanges are often prime targets for hackers, who typically place servers behind defense systems, with core services managing funds even requiring offline custody. However, due to blockchain systems’ stringent requirements for data integrity, some malicious transactions can bypass external security systems, leading to issues like fake deposits. Common fake deposit attacks include counterfeit tokens, especially when there are flaws in an exchange’s logic for determining the validity of certain token transfers. Attackers may create fraudulent deposit transactions that trick the exchange into crediting the user’s account. Another common method is utilizing the Replace-By-Fee (RBF) feature in the Bitcoin protocol for fake deposits, where attackers replace an earlier transaction by paying a higher fee, causing the exchange to misjudge and incur losses.

It’s important to note that fake deposit attacks are not blockchain vulnerabilities but rather exploit certain features of the blockchain to craft specific malicious transactions. To prevent fake deposit attacks, exchanges can implement manual reviews, especially for large or high-risk transactions. Additionally, conducting security authentication and regular audits of external API interfaces can effectively prevent unauthorized access and potential vulnerabilities.

Tommy: After a project is listed, if any risks emerge, the market response can be very swift. Bitget immediately holds internal discussions to determine whether to urgently delist the project and take measures to protect users. We continuously monitor the performance of all listed tokens, and we have recently intensified our management in this area, so more ST (Special Treatment) tokens may appear in the future.

If these ST tokens fail to improve their fundamentals or liquidity within a specified period, we will consider delisting them. Many projects perform poorly after listing, and the project teams may “give up,” no longer actively advancing the project, which leads to deteriorating market depth. This can result in significant slippage for inexperienced users during trading, severely affecting their experience. We are actively working to address this issue.

In terms of mitigating token risks, most of our work is done before listing. During the first wave of meme token popularity, Bitget rejected many high-risk memecoins, such as those with unreasonable distribution methods, where the project team held too many tokens, or where on-chain holding address data was falsified. Even if the project team offered to pay a listing fee, we refused to list them.

What are some typical on-chain security incidents that SlowMist has handled?

Lisa: Since SlowMist was founded, we’ve handled numerous on-chain security incidents. I’ll share two types of cases: one involving an attack on a project and another involving the theft of an individual’s assets.

The first case is the 2021 Poly Network incident, which was one of the largest attack events at the time, involving a loss of up to $610 million. On the evening of the incident, Poly Network announced the attack around 8 PM, and by about 9 PM, Tether had promptly frozen a portion of USDT in the hacker’s address. By around 11 PM, we had identified some of the attacker’s personal information and IP address, and began tracking the flow of funds. By the following afternoon, the hacker started returning the funds. This incident was a milestone for SlowMist. We developed a set of emergency alert and defense procedures from this experience, including rapid response and on-chain anti-money laundering measures to minimize losses and secure assets.

Another type of case involves individual users being hacked. In February of this year, a user approached us after being hacked. The hacker posed as a journalist from a well-known media outlet, tricking the victim into clicking a link containing malicious scripts, which ultimately led to the theft of their account credentials and funds. After the theft, the victim contacted us and shared their experience. We discovered that the stolen funds had been transferred to an exchange, and we immediately contacted the exchange to temporarily freeze the assets. Although the legal process was complex, after three and a half months, the victim successfully recovered the stolen funds. This was the first case in Taiwan’s judicial history where, without specific suspect information, we assisted law enforcement in freezing funds and returning them to the victim through tracing analysis and wallet ownership proof.

From these cases, I’d like to share some advice. If you are unfortunate enough to be hacked, the first step is to minimize the loss and see if there is a chance to recover anything. For example, if your authorization is compromised, revoke the authorization immediately; if your private key or mnemonic phrase is stolen, transfer the remaining assets immediately; if your PC is infected with malware, disconnect from the internet but don’t shut down the computer to preserve evidence for later, and change all platform passwords and wallets saved on the computer. Document the timeline and details of the theft, seek help from a third-party security team, and request assistance from law enforcement after filing a report. These steps are crucial for protecting personal assets.

How can you determine if a token contract or interactive project is secure?

Lisa: The simplest way is to review the code. However, if you’re not technically inclined or lack technical knowledge, you can familiarize yourself with classic phishing or scam cases to recognize their patterns and characteristics, which will help you stay vigilant. Pay special attention to traps in projects, such as fake tokens that can only be bought but not sold. When evaluating a project, remember that high returns usually come with high risks. Assessing whether the team is transparent and well-known can reduce the likelihood of encountering a scam or rug pull. Additionally, checking if the code has undergone a security audit is another safeguard. It’s advisable to stick to major projects, as they typically have compensation plans in place if an attack occurs, offering better protection for your assets.

Tommy: I think most ordinary users may not have the ability or time to check code security. The easiest way is to use reliable third-party tools like GoPlus, which supports many chains, especially EVM chains. Solana users can try RugCheck and gmgn ai, which can help detect token risks. When trading tokens on-chain, be cautious if a token’s contract is not public or if it retains the right to modify transaction taxes. This could lead to malicious actions, such as the project team setting the sell tax to 99% or 100% after a large influx of funds, which is a form of scam.

Additionally, non-custodial wallets like Bitget Wallet now have built-in risk alert features, notifying users when they’re about to trade high-risk tokens, which is particularly user-friendly for beginners. For those involved in DeFi investing, besides sticking to well-known projects, I also pay attention to the project’s TVL. If a project’s TVL exceeds $50 million, I might consider participating, but it’s important to check whether this is due to contributions from multiple users or just one or two large wallets. Large pools with a TVL over tens of millions of dollars are more likely to resolve issues even if there is moral hazard.

What are some on-chain security recommendations for regular users and institutional users, respectively?

Tommy: For regular users, my recommendations are as follows: First, always verify the authenticity of the website you are visiting. Second, avoid granting unlimited token approvals, and make sure to revoke contract approvals for smaller projects promptly. If you’re not engaging in DeFi activities, consider using a centralized exchange with proof of reserves for simple investment operations. For Bitcoin holders, using a hardware wallet is a good choice.

For institutional users, who are generally more familiar with security measures, I still recommend using multi-signature wallets and strictly managing access permissions. In the event of a security incident, it’s important to respond quickly and not ignore small issues early on, as these could lead to larger losses. Hiring professional security personnel for audits and assessments is also crucial, such as working with security firms for penetration testing.

Lisa: When it comes to on-chain operations, wallet security is key. Wallet asset theft typically falls into three categories: private key or mnemonic phrase theft, phishing for authorized signatures, and the tampering of the target address during transfers.

To prevent private key and mnemonic phrase theft, avoid using fake wallets. Many users download wallets via search engine ads or third-party sites, which pose risks of key and phrase theft. Additionally, malicious browser extensions can steal user credentials and sensitive data. I recommend only installing extensions from trusted sources, using different browsers to separate browsing and financial transactions, and regularly scanning devices with antivirus software.

Regarding phishing, the most common tactic is “blind signing,” where users sign transactions without understanding the content. This is especially risky in offline signing, where users mistakenly believe that since the signature doesn’t go on-chain and doesn’t consume gas, it’s safe. However, the authorization trace of an offline signature is only visible in the phisher’s address, making it hard for the victim to detect.

The core of preventing on-chain operation risks lies in domain names and signatures. Users should aim for “what you see is what you sign” and avoid blind signing. If you don’t understand the content of a signature, it’s best to cancel the operation. Additionally, installing antivirus software, enabling two-factor authentication, and being cautious about clicking on unknown links can also enhance account security. Lastly, increasing security awareness through learning from case studies is important. Avoid acting impulsively due to emotions, and verify suspicious actions through multiple sources to ensure safety. The Blockchain Dark Forest Selfguard Handbook by SlowMist founder Cos is highly recommended reading.

What are the common security risks associated with trading memecoins?

Tommy: For presale memecoins, many traders try to jump in quickly at the time of launch, using bots, custom code, or platforms like gmgn ai to snipe the token. However, project teams might delay the launch for various reasons, leading many to accidentally buy fake tokens. These fake tokens often have the same ticker name and image as the real one, and by the time the real token launches, there may already be four or five fake tokens on the market ready to scam traders. So, when participating in these high-profile presale tokens, it’s crucial to wait for the confirmed contract to be listed by the project team to avoid being scammed.

Today, relinquishing contract permissions, ensuring token distribution, and burning LP tokens have become standard requirements for memecoin projects. Meme traders are very strict about these requirements — if they suspect that insiders are buying in early, others are less likely to participate.

Beyond these basic requirements, I believe that the liquidity in the LP pool should be at least $300,000 to $500,000 as a minimum standard. Small pools have a high risk of rug pulls and offer limited returns. Additionally, the FDV at TGE shouldn’t be too high. If a memecoin has low on-chain trading volume, minimal social media buzz, but a massive FDV in the millions, that’s a red flag.

Another point to consider is that many memecoin developers don’t just release one token; they often release multiple tokens simultaneously. If a developer has previously launched several rug pull memecoins, it’s highly likely they will do so again. Therefore, it’s wise to be cautious of new projects from such developers.

Lisa: When trading memecoins on Ethereum and Solana, there are different on-chain risks to be aware of. On EVM-based blockchains, the freedom to issue tokens is higher, and the token logic is defined by the developers. In contrast, Solana tokens are issued through official channels, leading to different risks in on-chain transactions.

Common risk types include malicious tokens and rug pull tokens. For example, some memecoins gain significant attention, but when users try to sell them, they find that their address has been blacklisted, preventing the sale. These tokens often have special logic coded into them that restricts transfers, making it impossible for users to sell. Additionally, rug pull tokens may have backdoor logic for large token minting, allowing the project team to perform malicious actions through privileged functions or freeze user addresses.

What new technologies and tools are available to help users enhance their on-chain security?

Lisa: At the start, we mentioned Scam Sniffer, a very effective anti-phishing risk-blocking plugin that I personally use. Their authorization management tool is also highly recommended. Revoke Cash is another classic tool for revoking and checking authorizations. Additionally, antivirus software like AVG and Kaspersky are reliable choices.

Beyond these authorization and phishing prevention tools, GoPlus is an excellent tool that effectively detects honeypots and scam tokens, and I strongly recommend it. For local device security, tools like the well-known password manager 1Password and 2FA authentication tools are great options. While these require backup in case of loss, their security far outweighs not using two-factor authentication.

I’d also like to highlight SlowMist’s MistTrack anti-money laundering tracking system. We’ve launched a blacklisted USDT detection tool based on MistTrack, where users can input a transaction address to check its score, helping to identify and avoid money laundering risks.

While these tools can enhance on-chain security, they don’t guarantee absolute safety. New versions might have bugs or even backdoors. Therefore, I recommend maintaining independent thinking when using these tools, practicing a zero-trust approach, and continually verifying. Remember, there is no absolute security, and adopting this mindset is crucial.

What areas do you think the crypto industry needs to strengthen in terms of security?

Lisa: The crypto industry cannot afford to overlook security issues — one mistake can result in millions of dollars in losses, potentially leading to project collapse or personal bankruptcy. Every area faces the risk of hacker attacks. Based on the security “bucket effect,” strengthening security measures is a comprehensive need, as every link — including users, project teams, and the supply chain — is crucial. Each part must be secure; any lapse in one area can compromise the entire security loop. A combination of technical defenses and manual interventions is required for a complete and systematic defense.

First, user security awareness needs to be improved. SlowMist offers a theft/scam report submission system where users can submit information after being hacked or scammed, and we provide free fund tracking and community assessments for them. From this feedback, we’ve found that many users urgently need to enhance their security awareness. They often ignore security incidents and warnings, get caught up in FOMO, and lack understanding of common attack methods.

Both project teams and individual users need to be familiar with common attack techniques and have pre-established emergency plans to quickly identify and control issues when losses occur. At SlowMist, we disseminate security knowledge through the Blockchain Dark Forest Selfguard Handbook and Twitter, but many users are more focused on their funds and reluctant to delve into security issues. This requires collective effort from all parties to provide better protection for users’ funds.

Recently, there have been many phishing comments impersonating project teams on Twitter. Engineers at SpaceX introduced a new feature allowing users to disable links in replies, which is an effective security measure that significantly reduces phishing risks. These are positive developments in the industry, and I hope to see more security services like these in the future, helping users enhance their risk prevention capabilities.

Tommy: As a practitioner, user, and player in the crypto space, I hope that tool-based products will continue to improve, reducing my concerns about security issues. I expect these tools to alert me promptly when risks arise, or even directly block potentially dangerous actions. This approach is more user-friendly, and I believe the user experience in Web3 will eventually match or even surpass the current Web2 level.

The crypto industry can only truly grow and thrive when more people outside the circle can seamlessly integrate into the space. Improving these infrastructures not only helps users defend against risks but also provides a better experience for newcomers, preventing them from developing negative perceptions of the entire industry due to scams.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish