Special Edition on Security 02 | OKX Web3 & CertiK: MEME “Great Adventure” and Security “Truth or Dare”
Table of Contents
Toggle
Playing MEME is an adventure
Q1: Real-life cases of MEME risks happening around us
Q2: Common risks when trading MEME on EVM and Solana networks
Q3: Dimensions or tools to preliminarily filter high-risk MEME projects
Q4: What limitations or risks exist in Launchpad platforms and DEX as early circulation places for MEME tokens?
Q5: Speaking of which, does Telegram bot represent one of the practical performances based on interactive intentions in the field of cryptocurrency, does this represent the development trend of future DEX?
Q6: Security risks currently existing in high-frequency tools such as various TG BOT bots
Q7: User transaction operation misconceptions and risk prevention when trading MEME
Rug Pull, Pixiu Disk, Crushed, Being Squeezed… There are many traps ahead
I have always been a brave adventurer, until my knee was hit by an “arrow”
This issue is the 2nd special issue on security, and we have invited the well-known security organization CertiK and the OKX Web3 team to share common MEME chain trading security risks and preventive measures from the perspective of practical guidelines, hoping to help MEME users.
Advertisement – Continue reading the text
CertiK Security Team: CertiK was founded by two professors from Yale University and Columbia University. It uses the most advanced formal verification technology, AI audit technology, and security expert manual audit to ensure the security of blockchain protocols and smart contracts. So far, CertiK has been recognized by more than 4,000 corporate clients, discovered nearly 70,000 code vulnerabilities, and protected over $400 billion in digital assets from loss.
OKX Web3 Wallet Security Team: Hello everyone, we are very happy to be able to share this time. The OKX Web3 Wallet Security Team is mainly responsible for the security capacity building of the OKX Web3 Wallet, providing multiple protection services such as product security, user security, and transaction security. While guarding the security of users’ wallets 24/7, we also contribute to maintaining the security ecology of the entire blockchain.
OKX Web3 Wallet Security Team: There are various types of risk cases. We have selected several classic cases encountered by users when trading MEME:
Case 1: Pixiu Disk
User A saw a MEME with high discussion heat on Twitter and found the token address in the comments of the MEME tweet. After checking the transaction data of the MEME, User A found that it performed well and decided to buy it. As the price of the MEME continued to rise, User A wanted to sell and lock in profits but was unable to sell. After our team’s investigation, it was found that the MEME token was a Pixiu Disk, and User A’s address was blocked, so they were unable to sell.
Case 2: Malicious Rug Pull
User B often posts in a Telegram community and is added as a contact friend by many group members. One day, a group member privately messaged User B and recommended a MEME project to them, claiming that the project is very hot and has great potential, and immediately provided the token address. User B was intrigued and checked the MEME token’s liquidity on a data analysis tool, and found that the liquidity of the MEME token had been depleted and there were no whale holders. Therefore, User B believed that the MEME project was relatively reliable and made a purchase. However, the next day, User B suddenly discovered that the liquidity of the MEME project had been exhausted. After our team’s investigation, it was found that the token was a malicious Rug Pull token with a hidden minting logic that allowed for a large amount of token issuance.
There are endless risk cases happening to MEME users. Through the following dialogue, we hope to provide some security reference guides for users. This does not constitute any investment advice and is only for learning and communication purposes.
CertiK Security Team: MEME risks can be divided into two categories: on-chain risk scenarios and general risks unrelated to blockchain technology.
Before introducing specific on-chain risk scenarios, let’s first introduce general risks, which mainly include low token issuance cost, easily manipulated token prices, highly centralized projects, high trading slippage and Rug Pull scams.
1. Low token issuance cost
Generally, the technical development of MEME projects is very low or even non-existent, which has led to the emergence of one-click token issuance tools like PandaTool. Due to the extremely low development cost, project insiders and early investors can obtain tokens at a very low cost. Combined with the fact that MEME projects themselves have no practical fundamentals, once the market is no longer in a “FOMO” (Fear of Missing Out) state, these low-cost tokens will be quickly dumped, resulting in huge losses for later investors.
2. Easily manipulated token prices
MEME prices are easily manipulated. On the one hand, this is due to the lack of substantial technical support, intrinsic value, and low entry barriers, allowing anyone to easily create and issue MEME tokens. This leads to the proliferation of speculative coins in the market.
At the same time, MEME usually relies on social media and online popularity to drive its price, which can be easily manipulated by large holders or organized groups. These speculators can manipulate prices by buying or selling large amounts, creating false information and market noise, causing price volatility, attracting more retail investors to chase highs and lows, further exacerbating the possibility of price manipulation.
3. Highly centralized projects
MEME projects usually lack decentralized governance mechanisms, with decision-making power concentrated in a few developers and core teams, making project direction and management susceptible to personal interests and increasing risks for investors. Based on centralized decision-making, there may also be centralized control of token contracts and procedures, centralized token holdings, centralized liquidity control, and other centralized risks.
4. High trading slippage
MEME trading often incurs high slippage, mainly due to poor liquidity. The relatively few participants trading MEME in the market and insufficient trading volume result in large bid-ask spreads, increasing trading costs. In addition, MEME tokens with poor liquidity are prone to price volatility during large trades, further increasing trading risks and costs. When buying or selling, investors often need to bear higher slippage and greater price impact, leading to inefficient trading and increased transaction costs.
The second reason is attributed to the “transaction tax” mechanism. Many MEME projects charge a certain percentage of transaction tax in each transaction to incentivize investors to hold or support the project’s funds. However, this transaction tax increases trading costs, making frequent trading more expensive. With each buy or sell, traders have to pay additional fees, exacerbating trading slippage and reducing liquidity. When trading MEME, investors have to bear higher costs and risks.
5. Rug Pull scams
MEME is prone to Rug Pull scams due to its high degree of anonymity, lack of transparency, and regulation. Here are several common Rug Pull methods and their phenomena:
1) Liquidity Pull:
Method: The development team creates a liquidity pool on a decentralized exchange (DEX) and adds tokens and mainstream cryptocurrencies (such as ETH, USDT, etc.) to the pool. After attracting enough investors, the development team suddenly withdraws all liquidity, making the tokens untradable.
Phenomenon: Investors find that they cannot sell the tokens, and the token price quickly goes to zero. The liquidity pool shows almost no remaining funds.
2) Developer Dumping:
Method: The project team or early holders hold a large number of tokens and sell most or all of them in a short period, causing the price to plummet.
Phenomenon: Large sell orders appear in the transaction records, the token price drops sharply, market confidence collapses, and trading volume decreases rapidly.
3) Fake Projects:
Method: Scammers create a fake MEME project, fabricating false visions and roadmaps and attracting investors through social media and celebrity endorsements. Once they raise enough funds, they close the project and run away with the money.
Phenomenon: The project website and social media accounts suddenly disappear, the development team cannot be contacted, and the value of tokens in investors’ accounts rapidly depreciates.
4) Contract Exploits:
Method: The development team intentionally leaves backdoors or vulnerabilities in the smart contract, allowing them to manipulate the contract under specific conditions and steal investors’ funds.
Phenomenon: Token trading becomes abnormal or suddenly stops, investors cannot transfer or sell tokens, and a large amount of funds in the contract address are transferred to unknown accounts.
5) Fake Forks:
Method: Claiming to upgrade or fork the original token, requiring holders to exchange their old tokens for new ones, but actually collecting and taking possession of these old tokens.
Phenomenon: The old tokens become worthless, and the so-called new tokens cannot be traded on any exchange, and the project team disappears.
Next, let’s introduce the on-chain risks commonly seen when trading MEME on the EVM and Solana networks. To facilitate users’ direct comparison of the differences in risk types, we will share them in the form of a table.
Image Source: CertiK Security Team
OKX Web3 Wallet Security Team: EVM-based public chains and Solana are the preferred networks for users to trade MEME. They have different on-chain risk types, which are related to factors such as their token issuance mechanisms.
First, the EVM-based public chains. Due to the high degree of freedom in token issuance on EVM-based public chains and the fact that token content is implemented by developers, the common on-chain risks when trading MEME on EVM-based public chains include two categories:
1) MEME with malicious logic
When a hot MEME appears in the market, various malicious tokens that falsely create popular MEMEs will emerge. These malicious tokens usually have good trading data, leading users to mistakenly trade for malicious tokens, resulting in losses. The current common types of malicious tokens are mainly two:
1. Pixiu Disk: Refers to tokens that can only be bought and not sold. These malicious tokens usually set a 100% tax rate or special transfer restriction logic, preventing users from selling the tokens.
2. Malicious Rug Pull tokens: Refers to tokens with hidden minting logic that allows for a large amount of token issuance. These malicious tokens increase their supply to deplete the token liquidity.
2) Malicious acts by project teams
The current malicious acts by project teams mainly include two types: malicious use of privileged functions and direct dumping.
1. Malicious use of privileged functions: Project teams use privileged functions such as the mint function to mint tokens and dump the market.
2. Direct dumping: Project teams directly dump tokens they hold.
Second, the Solana chain. It is worth noting that token issuance on the Solana network is done through fixed official channels. Therefore, when trading MEME on the Solana chain, the common on-chain risks mainly come from malicious acts by project teams.
1) Malicious use of privileged functions
Project teams increase token supply and dump the market by using privileged functions such as the mint function or freeze instructions to freeze user addresses, achieving a similar effect to Pixiu Disk, preventing users from selling.
2) Direct dumping
Project teams directly dump tokens they hold. It is worth noting that some malicious MEME project teams distribute tokens to avoid scrutiny of token concentration.
CertiK Security Team: This does not constitute any investment advice. We are just introducing several tools we commonly use, which cannot filter risks 100%, but only provide references for users to preliminarily judge the high-risk nature of a MEME project.
1) dune.com: A data analysis platform that allows custom queries to analyze and monitor on-chain data of tokens. It is flexible but relatively complex to use, requiring a certain learning curve.
2) Dextools.io: A token information integration platform that provides basic information about tokens, such as market cap, liquidity, number of holders, token distribution, etc. It also allows for some simple security risk screening.
3) Skyknight MemeScan: A new platform launched by CertiK, providing solutions for evaluating the security status of MEME. The platform provides real-time insights and on-chain behavior analysis, including contract minting analysis, transaction control detection, ownership concentration analysis, liquidity control evaluation, and more.
OKX Web3 Wallet Security Team: There is no way or method to filter risks 100%, but from the perspectives of token security and project health, we provide users with several dimensions to preliminarily filter out extremely high-risk MEME projects. It is important to note that users should not judge the safety of a project solely based on the following dimensions.1) Smart Contract Security: The existence of source code-level security issues can be verified through auxiliary tools. These tools can check for malicious logic in project code and identify security vulnerabilities in the code itself. In addition, the permission control of the contract needs to be evaluated to ensure that the contract owner’s permissions are not excessive, avoiding the ability to arbitrarily mint or destroy tokens.
2) Token Distribution and Holder Distribution: The distribution of token holders can be viewed through blockchain browsers to avoid projects with overly concentrated token holdings, as these projects are prone to manipulation and have a higher risk of rugpull.
3) Liquidity and Trading Activity: Observe the trading volume and price volatility of tokens. Low trading volume and high volatility may indicate project instability or manipulation risk.
4) Community and Development Team Activity: Whether the project team is transparent, including the background, experience, and social media activities of team members.
Currently, the OKX Web3 wallet also provides users with the ability to filter risky tokens, filtering out tokens that could potentially harm users in terms of code security and transaction security, and providing users with a secure trading experience while providing token information from various dimensions.
CertiK Security Team: First, the Launchpad platform and DEX must have strong technical support to deal with the trading response speed and trading scale of MEME projects. In addition, liquidity is also crucial, and relevant platforms need to monitor any events that may affect liquidity security. Finally, for compliance risks related to MEME, platform operators must understand and implement relevant regulatory policies and requirements to reduce potential legal risks.
OKX Web3 Wallet Security Team: Next, we will introduce the limitations or risks of the Launchpad platform and DEX separately.
For the Launchpad platform, there are mainly three points:
First, the quality of projects launched on the platform varies. Although some Launchpad platforms conduct reviews and due diligence, they may still fail to fully identify high-risk or low-quality projects.
Second, fund management risk. Launchpad platforms usually manage a large amount of user funds. If these funds are mismanaged or maliciously misappropriated, it may result in user fund losses. In addition, the platform may lack sufficient safeguards to protect user fund security.
Third, market manipulation. Project parties or large fund players may manipulate prices after the Launchpad launch, causing significant market fluctuations and affecting retail investors.
For DEX, there are more limitations:
First, insufficient liquidity. Newly listed MEME tokens usually have poor liquidity on DEX, which can easily lead to large slippage and price volatility.
Second, smart contract vulnerabilities. DEX relies on smart contracts for trading, and if these contracts have vulnerabilities, they can be exploited by hackers, resulting in fund losses.
Third, high transaction fees, especially on networks like Ethereum, where transaction fees (Gas fees) can be very high, affecting the cost-effectiveness of small traders.
Fourth, malicious project parties. Anyone can deploy tokens and list them on DEX for trading. Some project parties may intentionally leave backdoor functions in the contracts, allowing them to manipulate token balances or prevent users from selling tokens.
Fifth, user experience issues. DEX operations are relatively complex for ordinary users, involving wallet connections, Gas fee settings, etc., and may not provide as good a user experience as centralized exchanges (CEX) for entry-level users.
CertiK Security Team: Telegram bot can significantly reduce the threshold for trading and automate some steps in trading, making it more convenient for non-professionals to engage in cryptocurrency trading. However, specific security risks of these bots must be paid special attention to. It is recommended to conduct comprehensive security due diligence on any third-party dApps that interact with wallets to ensure their security.
OKX Web3 Wallet Security Team: Telegram bots demonstrate the great potential of intent-based interaction in the field of cryptocurrency. This trend is expected to drive the future development of decentralized exchanges (DEX) through optimizing user experience, enhancing trading convenience and security, expanding the financial service ecosystem, and technological innovation.
1) Enhancing User Experience
Simplified operations: Telegram bots enable users to trade through simple chat commands using natural language processing, simplifying complex operational processes.
Automated trading: Users can set up automated trading rules, such as stop-loss and take-profit points, reducing the risks and time costs of manual operations.
2) Enhancing Decentralized Trading
Seamless integration: Bots integrate with DEX through API interfaces, hiding complex trading operations and reducing users’ learning costs.
Real-time operations: Bots can monitor market dynamics in real-time and notify users immediately, enabling them to make quick trading decisions and execute trades.
3) Improving Security
Smart contracts: Bots utilize smart contracts to ensure transaction transparency and security, reducing the possibilities of human intervention and fraud.
Decentralization: While bots may be centralized, actual transactions take place in a decentralized environment, increasing transaction security and transparency.
4) Expanding the Ecosystem
Multi-functional platforms: Telegram bots are not limited to trading but can also expand to financial services such as asset management, lending, and staking, providing all-in-one financial solutions.
Enhancing community interaction: Bots can facilitate user communication and community building through the Telegram platform, increasing user engagement.
5) Technology and Market Driven
Driving innovation: Advances in artificial intelligence and blockchain technology will make bots smarter and more efficient, driving the emergence of more decentralized applications and services.
Market acceptance: User demand for simplified and automated services is increasing, driving more DEX to adopt bot services to enhance competitiveness.
CertiK Security Team: With the development of the cryptocurrency market, Telegram BOT bots have become increasingly common in trading and information retrieval. However, these frequently used tools also bring significant security risks. Users should pay special attention to the following aspects when using them.
First, many Telegram BOT bots have not undergone security audits or had their code publicly reviewed, which may contain malicious code or vulnerabilities. These malicious bots may steal users’ private keys, identity information, or other sensitive data. In addition, malicious bots may disguise themselves as legitimate services and induce users to enter their private keys or mnemonic phrases through phishing attacks, leading to fund theft. Therefore, users should ensure that they only use officially recommended or verified bots and avoid clicking on unfamiliar links or entering sensitive information.
Second, some bots may require excessive permissions, such as accessing users’ contacts, files, or other sensitive information. Users should be cautious about granting permissions and ensure that bots only obtain the minimum permissions necessary for their proper operation. At the same time, communication between bots and Telegram servers may be intercepted by man-in-the-middle attacks, leading to data leaks or tampering. Users should ensure the use of bots with encrypted communication and check the implementation of their security communication protocols.
Third, many Telegram bots provide automated trading functions, but if the trading logic of these bots has vulnerabilities, it may result in serious financial losses. Users should conduct thorough testing before using such functions and monitor trading behavior to prevent abnormal situations. In addition, bot developers may collect and store a large amount of user data, and once this data is leaked or abused, user privacy will be seriously threatened. Users should choose bots with good reputation and privacy policies and regularly check their privacy protection measures.
Finally, excessive reliance on certain bots for trading or asset management may result in the inability to perform normal operations if the bot service is interrupted or discontinued. Therefore, users should avoid excessive reliance on a single bot and prepare backup plans. By understanding and preventing these risks, users can use Telegram BOT bots more safely and protect their assets and privacy.
OKX Web3 Wallet Security Team: Similar to TG bots, BOT bots provide convenient services but also bring great risks. Next, we will give examples to illustrate.
First, the risk of centralized custody of private keys. Most Telegram bots require users to entrust their private keys for active signing and transaction sending. This means that users’ private keys are stored on third-party servers, increasing the risk of theft or abuse.
Second, phishing risks. Phishing links sent through Telegram bots may induce users to click on them, leading to the theft of account information or private keys. In addition, artificial inducement in chat windows (such as impersonating customer service) may deceive users into providing their mnemonic phrases or other sensitive information.
Third, Trojan risks. Some bots may infect users’ devices through the sending of malicious software (Trojans) or malicious SDKs, endangering the security of the entire system.
In conclusion, when using various BOT bots, users need to carefully distinguish and avoid clicking on unfamiliar links or leaking their private keys.
CertiK Security Team: First, for any dApp that interacts with your wallet, including trading platforms and Telegram bots, users should conduct security due diligence. Choosing dApps that have undergone security audits can reduce the risk of attacks during operations and ensure the security of private keys and identity information. Currently, CertiK helps users reduce risks by providing penetration testing services for dApps.
Second, MEME trading highly depends on trading response speed and frequency, so it is important to choose a stable platform with reasonable trading fees. When trading, it is advisable to choose platforms that are secure, stable, fast, and have lower trading fees to obtain a better trading experience. For example, the MemeScan platform launched by CertiK can provide real-time security status information, including on-chain behavioral analysis of MEME. For example, contracts that can mint new coins, transactions that can be suspended or restricted, a few addresses controlling most tokens or liquidity, etc., which could provide some help for users’ secure trading.
OKX Web3 Wallet Security Team: When considering security, users need to be aware of safe operations and risk prevention when conducting MEME transactions to ensure the accuracy and security of transactions.
First, choose the correct trading platform. Users should choose reputable and secure cryptocurrency exchanges and try to avoid using unverified or unknown trading platforms, which may pose a risk of asset theft. For on-chain transactions, verify the official website of the project and the correctness of the contract.
Second, enable higher security authentication methods. To enhance security, users can enable two-factor authentication in all trading platforms and wallets, using Google Authenticator or other secure applications. It is advisable to avoid using SMS verification, as it is susceptible to SIM card swapping attacks.
Third, use wallets with high security. Users should use verified wallets for transactions and ensure secure backups of mnemonic phrases or private keys stored in a safe place, avoiding electronic backups. Failure to back up private keys or mnemonic phrases will result in the inability to recover assets if the device is lost or damaged.
Fourth, guard against phishing attacks. Users need to verify the URLs used for transactions to ensure that they are official links. When encountering problems, ensure that the contact is with official customer service and disregard private messages in Telegram, Discord, etc. Never click on unfamiliar links or sign signatures without knowing the content or disclose private keys.
Fifth, maintain a secure network environment. Users should conduct operations on trusted operating systems and try to avoid using public wireless networks.
Finally, thank you for reading the second issue of the “Security Special” column in the OKX Web3 wallet. We are currently busy preparing the content for the third issue, which will include real cases, risk identification, and secure operation tips. Stay tuned!
Disclaimer:
This article is for reference only. This article does not intend to provide (i) investment advice or investment recommendations; (ii) solicitations or offers to buy, sell, or hold digital assets; or (iii) financial, accounting, legal, or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks and may experience significant volatility or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. Please be responsible for understanding and complying with relevant local laws and regulations.