Original source: OKX

Introduction

OKX Web3 Wallet has specially planned the "Security Special Issue" column to provide special answers to different types of on-chain security issues. Through the most real cases happening around users, in conjunction with experts or institutions in the security field, dual sharing and answers from different perspectives, we will sort out and summarize the rules of safe transactions from the shallow to the deep, aiming to strengthen user security education while helping users learn to protect their private keys and wallet asset security from themselves.

Playing MEME is a big adventure

Rug Pull (withdrawal from the pool), Pixiu plate, smashing through, being clamped... many traps are ahead

I have always been a brave adventurer until I was hit by an "arrow" in the knee

This issue is the 02nd security special issue. We specially invite CertiK and OKX Web3 team, well-known security organizations in the industry, to share common MEME on-chain transaction security risks and prevention measures from the perspective of practical guides, hoping to be helpful to MEME users.

CertiK Security Team:Founded by two professors from Yale University and Columbia University, CertiK uses the most advanced formal verification technology, AI audit technology, and manual audits by security experts to ensure the security of blockchain protocols and smart contracts by scanning and monitoring them. To date, CertiK has been recognized by more than 4,000 corporate customers, has discovered nearly 70,000 code vulnerabilities, and has protected more than $400 billion in digital assets from loss.

OKX Web3 Wallet Security Team:Hello everyone, I am very happy to be able to share this. The OKX Web3 Wallet Security Team is mainly responsible for the security capability construction of the OKX Web3 Wallet, providing multiple protection services such as product security, user security, and transaction security. While protecting the security of user wallets 24 hours a day, it contributes to maintaining the entire blockchain security ecosystem.

Q1: Real cases of MEME risks happening around us

OKX Web3 Wallet Security Team:There are many types of risk cases of this type. We have selected several classic cases that users have encountered when trading MEME:

Case 1: Pixiu Plate

User A saw a hot MEME discussion on Twitter and found the token address in the tweet comment of the MEME. After checking the transaction data of the MEME, he found that it performed well, so he bought it. As the price of the MEME continued to rise, user A wanted to sell and lock in profits, but he was unable to sell it. After investigation by our team, it was found that the MEME token was a Pixiu plate, and the user address could not be sold because it was blacklisted.

Case 2: Malicious Rug Pull

User B often speaks and participates in activities in a Telegram community, and is added as a contact book friend by many group members. One day, a group member privately chatted with user B and recommended a MEME project to him, saying that the project was very popular and had great potential, and then immediately provided the MEME token address. User B was a little tempted, so he checked on a data analysis tool and found that the liquidity LP of the MEME token had been destroyed and there were no whales holding positions. Therefore, he thought that the MEME project was more reliable and purchased it. But on the second day, User B suddenly found that the liquidity of the MEME project had been exhausted. After investigation by our team, it was found that the token was a malicious Rug Pull token, which had a backdoor logic that could issue a large number of tokens.

There are endless risk cases that have occurred to MEME users. We hope that through the following conversation, we can provide users with some security reference guides. It does not constitute any investment advice, but is only for everyone to learn and communicate.

Q2: Common risks on the EVM public chain and Solana network when trading MEME

CertiK Security Team:MEME risks are divided into two categories: one is the on-chain risk scenario, and the other is general risks, which have nothing to do with blockchain technology.

Before introducing specific on-chain risk scenarios, let’s first introduce general risks, which mainly include five categories: extremely low coin issuance costs, easy manipulation of token prices, highly centralized projects, large investor trading wear and tear, and Rugpull scams.

1. Extremely low coin issuance costs

Generally speaking, the amount of technical development for launching MEME projects is extremely low or even non-existent, so that one-click coin issuance tools like PandaTool have emerged. It is precisely because of the extremely low development costs that the cost of obtaining tokens for internal project personnel and early investors is extremely low. In addition, the MEME project itself has no actual fundamentals. Once the market is no longer "FOMO" (Fear of Missing Out), these extremely low-cost tokens will be quickly sold, causing subsequent investors to bear huge losses.

2. Token prices are easily manipulated

MEME prices are easily manipulated. On the one hand, due to its lack of substantial technical support, intrinsic value, and low issuance threshold, anyone can easily create and issue MEME, which makes the market full of highly speculative currencies.

At the same time, MEME usually relies on social media and network popularity to drive its price, and these factors are easily manipulated by large or organized groups. These speculators can manipulate prices by buying or selling in large quantities, as well as creating false information and market noise, causing drastic price fluctuations, attracting more retail investors to chase ups and downs, thereby further exacerbating the possibility of price manipulation.

3. Highly centralized projects

MEME projects usually lack decentralized governance mechanisms, and decision-making power is concentrated in the hands of a few developers and core teams, making project direction and management easily driven by personal interests, increasing the risk of investors. On the basis of the centralization of decision-making power, there may also be various centralized risks such as the centralization of control of token contracts and programs, the centralization of token holdings, and the centralization of liquidity control.

4. Large wear and tear on investors' transactions

MEME transactions have large wear and tear, first due to its poor liquidity. Due to the relatively small number of participants in the market who buy and sell MEME and insufficient trading volume, this leads to a large bid-ask spread (i.e. the gap between the buying price and the selling price), which increases transaction costs. In addition, MEME coins with poor liquidity are prone to drastic price fluctuations in large transactions, further increasing transaction risks and costs. When buying or selling, investors often need to bear higher slippage and greater price impact, resulting in inefficient transactions and increased transaction costs.

The second is attributed to the "transaction tax" mechanism. In order to incentivize investors to hold or maintain project funds, many MEME projects usually charge a certain percentage of transaction tax on each transaction. These taxes are usually used to repurchase tokens, reward holders, or support project development. However, this transaction tax increases transaction costs, making frequent trading more expensive. Traders need to pay additional taxes every time they buy or sell, which increases transaction wear and further reduces liquidity. Investors must bear higher fees and risks when trading MEME.

5. Rugpull scam

MEME is easily targeted by Rugpull scams because of its high anonymity, lack of transparency and supervision. The following are several common Rugpull methods and their phenomena:

1) Liquidity Pull:

Method: The development team will create a liquidity pool on a decentralized exchange (DEX) and add tokens and mainstream cryptocurrencies (such as ETH, USDT, etc.) to the pool. After attracting enough investors, the development team will suddenly withdraw all liquidity, making the tokens untradable.

Phenomenon: Investors find that they cannot sell tokens, the token price quickly returns to zero, and the liquidity pool shows that there is almost no money left.

2) Developer Dumping

Method: The project party or early holders hold a large number of tokens. When the market demand is hyped up, they will sell most or all of their tokens in a short period of time, causing the price to plummet.

Phenomenon: Huge sell orders appear in the transaction records, the token price drops sharply, market confidence collapses, and the trading volume decreases rapidly.

3) Fake Projects:

Method: Criminals will create a fake MEME coin project, fabricate a false vision and roadmap, and attract investors through social media and celebrity endorsements. Once they have raised enough funds, they will shut down the project and run away with the money.

Phenomenon: The project website and social media accounts suddenly disappear, the development team cannot be contacted, and the value of the tokens in the investor's account rapidly depreciates.

4) Contract Exploits:

Method: The development team deliberately leaves backdoors or loopholes in the smart contract, allowing them to manipulate the contract under certain conditions and steal investors' funds.

Phenomenon: Token transactions are abnormal or suddenly stopped, investors cannot transfer or sell tokens, and the contract address shows that a large amount of funds have been transferred to unknown accounts.

5) Fake Forks:

Method: Claiming to upgrade or fork the original tokens, requiring holders to exchange old tokens for new tokens, in fact, is to collect and possess these old tokens.

Phenomenon: The old tokens lose value, the so-called new tokens cannot be traded on any exchange, and the project team loses contact.

Next, we will introduce the common on-chain risks when users conduct MEME transactions on the EVM public chain & Solana network. In order to facilitate users to more directly compare the differences in risk types, we share them in the form of a table.

Image source: CertiK Security Team

OKX Web3 Wallet Security Team: EVM-based public chains and Solana are the preferred networks for users to conduct MEME transactions. The two differ in the types of on-chain risks, which is related to factors such as their different token issuance mechanisms.

First, EVM is a public chain. Since EVM-based public chain tokens have a high degree of freedom in issuing tokens and the token content is implemented by developers, there are currently two types of common on-chain risks for MEME transactions on EVM-based public chains:

(I) MEME with malicious logic

When the market is hot, there will be various malicious tokens forged as popular MEME. This type of malicious token usually has good transaction data, which leads users to misjudge and trade malicious tokens, thereby causing losses. There are currently two main types of common malicious tokens:

1. Pixiu disk: refers to tokens that can only be bought but not sold. This type of malicious token usually sets a 100% tax rate or special transfer restriction logic, which prevents users from selling tokens.

2. Malicious rug pull tokens: refers to tokens with hidden issuance logic. This type of malicious token exhausts token liquidity by hiding the issuance logic and then issuing additional tokens.

(II) Project Party Evil

Currently, project party evil also mainly includes 2 types: privileged function evil and direct market crash.

1) Privileged function evil: The project party issues additional tokens to crash the market through privileged functions, such as mint function.

2) Direct market crash: The project party directly uses the tokens it holds to crash the market.

Second, Solana chain. It is worth noting that the Solana network issues tokens through fixed official channels. Therefore, when conducting MEME transactions on the Solana chain, the common on-chain risks mainly come from the project party’s evil.

(I) Privileged functions

The project owner uses privileged functions, such as the mint function, to issue additional tokens to dump the market; or freeze user addresses through freeze instructions, thereby achieving a similar purpose to the Pixiu disk, preventing users from selling.

(II) Directly smashing the market

The project party directly uses the tokens held to smash the market. It is worth reminding that some malicious MEME project parties will evade the review of concentrated token holdings by distributing the tokens held.

Q3: Which dimensions or tools can initially filter out MEME projects with extremely high risks

CertiK Security Team:This does not constitute any investment advice, but only introduces some of the tools we personally use. It cannot 100% help users filter risks, but only provides a reference for users to initially judge whether a MEME has a high risk.

1) dune.com: A data analysis platform that can customize queries to analyze and monitor the on-chain data of tokens. It is relatively flexible, but relatively complex to use and requires a certain learning cost.

2) Dextools.io: A token information integration platform that can view some basic token information, such as market value, liquidity, number of holders, token distribution, etc., and can also perform some simple security risk screening.

3) Skyknight MemScan: A new platform launched by CertiK that provides a solution for evaluating the security status of MEME. The platform provides instant insights and on-chain behavior analysis, including contract minting analysis, transaction control detection, ownership concentration analysis, liquidity control evaluation, etc.

OKX Web3 Wallet Security Team:There is no way and method to filter risks 100%, but from the perspective of token security and project health, we provide users with several dimensions that can initially filter out highly risky MEME items. It should be noted that users cannot judge the security of a project based solely on the following dimensions.

1) Smart contract security: You can use auxiliary tools to verify whether there are security issues at the source code level. These tools can check whether there is malicious logic in the project code and identify security vulnerabilities in the code itself. In addition, it is necessary to evaluate the permission control of the contract to ensure that the contract owner’s permissions are not too large to prevent him from arbitrarily issuing or destroying tokens.

2) Token allocation and holding distribution: Check the distribution of token holders through the blockchain browser and avoid participating in projects with too concentrated token holdings, as these projects are easily manipulated and have a higher risk of rugpull

3) Liquidity and trading activities: observe the trading volume and price fluctuations of the tokens. Low trading volume and high volatility may mean that the project is unstable or there is a risk of manipulation.

4) Community and development team activities: Is the project team open and transparent, including the background, experience and social media activities of team members.

Currently, the OKX Web3 wallet also provides users with the ability to filter risky tokens, filtering out tokens that may cause damage to users from multiple levels such as code security and transaction security. While providing token information in various dimensions, it also escorts users' MEME safe trading experience.

Q4: As an early circulation place for MEME tokens, what limitations or risks do the Launchpad platform and DEX currently have?

CertiK Security Team:First, Launchpad platforms and DEXs must have strong technical support to cope with the transaction response speed and transaction scale of MEME projects. In addition, liquidity is also a crucial link, and relevant platforms need to monitor any events that may affect liquidity security. Finally, regarding the compliance risks of MEME, the platform must understand and implement relevant regulatory policies and requirements to reduce possible legal risks.

OKX Web3 Wallet Security Team:Next, we will introduce the limitations or risks of the Launchpad platform and DEX respectively.

For the Launchpad platform, there are three main points:

First, the quality of projects launched on the platform is uneven. Although some Launchpad platforms will conduct reviews and due diligence, they may still fail to fully identify high-risk or low-quality projects.

Second, fund management risk. Launchpad platforms usually centrally manage a large amount of user funds. If these funds are not managed properly or are misappropriated maliciously, it may lead to user fund losses. In addition, the platform may lack sufficient safeguards to protect the safety of user funds.

Third, market manipulation. Project parties or large capital players may manipulate prices after the launch of Launchpad, causing drastic market fluctuations and affecting retail investors.

For DEX, there are relatively more limitations.

First, insufficient liquidity. Newly listed MEME usually has poor liquidity on DEX, which can easily lead to large transaction slippage and drastic price fluctuations.

Second, smart contract vulnerabilities. DEX relies on smart contracts for transactions. If there are vulnerabilities in these contracts, they may be exploited by hackers and cause financial losses.

Third, high transaction fees. Especially on networks such as Ethereum, transaction fees (gas fees) may be very high, affecting the cost-effectiveness of small traders.

Fourth, malicious project parties. Anyone can deploy tokens and list DEX transactions. Some project parties may deliberately leave backdoor functions in the contract, allowing the project parties to arbitrarily manipulate the token balance or prevent users from selling tokens.

Fifth, user experience issues. The operation of DEX is relatively complicated for ordinary users, involving wallet connection, gas fee setting, etc. For entry-level users, the experience may not be as good as that of centralized exchanges (CEX).

Q5: Let me ask you a follow-up question. Telegram robots represent one of the actual manifestations of intention-based interaction in the field of cryptocurrency. Does this represent the development trend of DEX in the future?

CertiK Security Team:Telegram bots can significantly lower the threshold for trading and automate some steps in trading, making it easier for non-professionals to trade cryptocurrencies. However, special attention must be paid to the specific security risks of these bots. It is recommended to conduct a comprehensive security due diligence on any third-party dApp that interacts with the wallet to ensure its security.

OKX Web3 Wallet Security Team:The application of Telegram bots in the field of cryptocurrency shows great potential for intent-based interaction. This trend is expected to promote the future development of decentralized exchanges (DEX) by optimizing user experience, enhancing transaction convenience and security, expanding the financial services ecosystem, and technological innovation.

1. Improve user experience

Simplify operations: Telegram bots use natural language processing to enable users to trade using simple chat commands, simplifying complex operation processes.

Automatic trading: Users can set automatic trading rules, such as stop loss and take profit points, to reduce the risk and time cost of manual operations.

2. Enhanced decentralized trading

Seamless integration: The robot is integrated with the decentralized exchange (DEX) through the API interface, hiding the complex trading operations and reducing the user's learning cost.

Real-time operation: The robot can monitor market dynamics in real time and notify users immediately, enabling them to make trading decisions quickly and execute transactions.

3. Improve security

Smart contracts: Robots use smart contracts to ensure the transparency and security of transactions, reducing the possibility of human intervention and fraud.

Decentralization: Although robots may be centralized, actual transactions are conducted in a decentralized environment, which improves the security and transparency of transactions.

4. Expand the ecosystem

Multi-functional platform: Telegram robots are not limited to transactions, but can also be extended to financial services such as asset management, lending, and staking, providing a one-stop financial solution.

Enhance community interaction: Through the Telegram platform, robots can promote user communication and community building, and increase user participation.

5. Technology and market driven

Innovation driven: The advancement of artificial intelligence and blockchain technology will make robot applications more and more intelligent and efficient, and promote the emergence of more decentralized applications and services.

Market acceptance: The growing demand for simplified and automated services among users has driven more DEXs to adopt robot services to enhance their competitiveness.

Q6: Current security risks of BOT robots for high-frequency tools, such as various TGs

CertiK Security Team:With the development of the cryptocurrency market, Telegram BOT robots have become more and more common in transactions and information acquisition. However, these high-frequency tools also bring significant security risks, and users should pay special attention to the following aspects when using them.

First, many Telegram BOT robots have not been audited or their codes have not been made public, and may contain malicious code or vulnerabilities. These malicious BOTs may steal users' private keys, identity information, or other sensitive data. In addition, malicious BOTs may disguise themselves as legitimate services and induce users to enter their private keys or mnemonics through phishing attacks, thereby stealing funds. Therefore, users should make sure to only use officially recommended or verified BOTs and avoid clicking on unknown links or entering sensitive information.

Secondly, some BOTs may require too many permissions, such as access to the user's contacts, files or other private information. When using, permissions should be granted with caution to ensure that the BOT only obtains the minimum permissions required for its normal operation. At the same time, the communication between the BOT and the Telegram server may be intercepted by a man-in-the-middle attack, resulting in data leakage or tampering. Users should ensure that they use BOTs with encrypted communication and check the implementation of their secure communication protocols.

Third, many Telegram BOTs provide automated trading functions, but if the trading logic of these BOTs has loopholes, it may lead to serious financial losses. Users should conduct sufficient testing before using such functions and monitor trading behavior to prevent abnormal situations. In addition, BOT developers may collect and store a large amount of user data. Once this data is leaked or abused, user privacy will be seriously threatened. Users should choose BOTs with good reputation and privacy policies, and check their privacy protection measures regularly.

Finally, over-reliance on certain BOTs for trading or asset management may result in users being unable to operate normally when the BOT service is interrupted or shut down. Therefore, users should avoid over-reliance on a single BOT and prepare backup plans. By understanding and preventing these risks, users can use Telegram BOT robots more safely and protect their assets and privacy security.

OKX Web3 Wallet Security Team: BOT robots like TG not only provide convenient services, but also bring great risks. Next, we will give an example.

First, the risk of centralized custody of private keys. Most Telegram robots need to host the user's private key in order to actively sign and send transactions. This means that the user's private key is stored on a third-party server, increasing the risk of theft or abuse.

Second, the risk of phishing. Phishing links sent by Telegram robots may induce users to click, resulting in the theft of account information or private keys. In addition, artificial inducement in the chat window (such as fake customer service) may deceive users' mnemonics or other sensitive information.

Third, the risk of Trojans. Some robots may infect users' devices and endanger the security of the entire system by sending malware (Trojans) or malicious SDKs.

In short, users need to be cautious when using various BOT robots, do not click on unfamiliar links at will, and do not disclose their private keys.

Q7: User Misunderstandings and Risk Prevention in MEME Trading

CertiK Security Team:First of all, users should conduct security due diligence on any dApp that interacts with their wallet, including trading platforms and Telegram bots. Choosing a dApp that has undergone a security audit can reduce the risk of being attacked during operation and ensure the security of their private keys and identity information. Currently, CertiK helps users reduce risks by providing dApp penetration testing services.

Secondly, MEME transactions are highly dependent on the response speed and frequency of transactions, so it is crucial to choose a stable platform with reasonable transaction fees. When trading, try to choose platforms that are safe, stable, fast and have low transaction fees to get a better trading experience. For example, the MemeScan platform launched by CertiK mentioned above can provide instant security status information, including on-chain behavior analysis of MEME. For example, contracts can issue new coins, transactions can be suspended or restricted, a few addresses control most of the tokens, and a few addresses control most of the liquidity. I hope it can provide some help for users to trade safely.

OKX Web3 Wallet Security Team: Considering security, users need to know safe operations and risk prevention when conducting MEME transactions to ensure the correctness and security of transactions.

First, choose the right trading platform. Users should choose reputable and highly secure cryptocurrency exchanges, and try to avoid using unverified or unknown trading platforms, which may face the risk of asset theft. For on-chain transactions, confirm the official website of the project party and the correctness of the contract.

Second, enable a more secure authentication method. For greater security, users can enable two-factor authentication on all trading platforms and wallets, using Google Authenticator or other security applications. Try to avoid SMS verification, as it is vulnerable to SIM card swap attacks.

Third, use a highly secure wallet. Users should try to use verified wallets for transactions and ensure that the mnemonics or private keys are securely backed up and stored in a safe place to avoid electronic backups. Without backing up the private key or mnemonics, assets cannot be recovered when the device is lost or damaged.

Fourth, prevent phishing. Users need to always verify the url used for transactions to ensure that it is an official link. When encountering problems, make sure that you contact the official customer service, ignore private messages in groups such as Telegram and Discord, and never click on unknown links, sign signatures that you don’t know the content of, and display private keys.

Fifth, for a secure network environment, users should operate under a trusted operating system and try not to use public wireless networks.

Finally, thank you for reading the 02nd issue of the OKX Web3 Wallet "Security Special Issue". We are currently preparing for the 03rd issue, which will include real cases, risk identification, and safe operation tips. Please stay tuned!

Disclaimer:

This article is for reference only and is not intended to provide (i) investment advice or investment recommendations; (ii) an offer or solicitation to buy, sell or hold digital assets; or (iii) financial, accounting, legal or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks and may fluctuate significantly or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. Please be responsible for understanding and complying with local applicable laws and regulations.

This article is from a contribution and does not represent the views of BlockBeats.

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia