In-Depth Dialogue: How to Prevent Security Risks in On-Chain Transactions? Exchange Listing Evaluation Criteria and Project Risk Identification
TechFlow Selected TechFlow Selected
In-Depth Dialogue: How to Prevent Security Risks in On-Chain Transactions? Exchange Listing Evaluation Criteria and Project Risk Identification
This conversation jointly explored exchange listing risk assessment, on-chain security issues, and how investors can protect their assets.
Navigating Web3 tides with focused insightsWe invited Tommy, a researcher from Bitget, and Lisa, Operations Lead at SlowMist Security Team, to discuss exchange listing risk assessments, on-chain security issues, and how investors can protect their assets. The two guests shared insights on evaluating new projects, monitoring already-listed tokens, and responding to hacking incidents. They also explored current security risks that investors and institutions should be aware of in the crypto market, as well as how to leverage new tools to enhance security.
Opening Introduction
Tommy:
Hello everyone, I'm a researcher at Bitget, where I've worked for two and a half years. When we started, Bitget had only two or three hundred employees, primarily focused on derivatives and copy trading. Today, our futures products hold nearly 27% market share, with over 30 million monthly visits. We’ve evolved into a full-ecosystem cryptocurrency exchange, serving more than 25 million registered users across over 100 countries and regions.
In my two-plus years here, aside from organizing sharing sessions for VIP clients, I’ve rarely created PowerPoint presentations. Our team emphasizes efficiency and results over formalities and bureaucratic reporting. Our research team is diverse—featuring top talent skilled in designing and implementing DeFi products, as well as experts with deep experience in on-chain data analysis.
Lisa:
Hi everyone, I’m Lisa, Operations Lead at SlowMist. SlowMist is an industry-leading blockchain security company with extensive expertise in both on-chain and off-chain security, along with years of accumulated threat intelligence. We provide integrated, tailored security solutions—from threat detection to defense—including services such as smart contract audits and anti-money laundering (AML) transaction tracing. The name "SlowMist" comes from the sci-fi novel *The Three-Body Problem*, where the “Slow Zone” represents a safe area—an analogy for SlowMist being a secure haven within blockchain’s dangerous “dark forest.” We’ve also built a white-hat community called the “SlowMist Zone,” which currently has over 300,000 participants.
How do you conduct risk assessment before listing a token? Are evaluation strategies different for emerging versus well-known projects?
Tommy:
At Bitget, listing risk assessment is led by our Research Institute, supported by audit and risk control teams. First, we thoroughly review the project's sector, team background, and investor history. Projects touching our red lines—such as involvement in gambling, pornography, drugs, or political sensitivity—are immediately rejected. We also reject projects under SEC investigation or with negative reputations. For example, Pulsechain (PLS) was highly popular pre-TGE but due to its legal disputes with the SEC and poor public sentiment, we temporarily declined cooperation.
Secondly, we assess the project’s tokenomics, FDV at launch, and initial circulating market cap. If these values are excessively high, we may reject the listing or request adjustments. Tokens with inflated valuations but low potential often leave retail investors holding the bag. Recently, we’ve seen several well-funded VC coins drop 90% after launch—such tokens will be avoided going forward. Still, predicting a project’s future performance accurately is impossible; we aim only to minimize trader losses through structured methodology.
For non-first listings—especially recently listed Memecoins—we pay special attention to contract risks, concentration of holdings, and whether LP pools are locked. With emerging projects, we remain cautious yet open to innovation. For instance, UNIBOT was one of the first projects listed on Bitget. Initially, its contract design included modifiable trading fees and black/white list mechanisms, posing certain risks. However, after analyzing Unibot’s revenue model, our research team concluded it had sustainable development potential and no incentive to rug pull. We confidently listed it, delivering solid returns for traders. Another example is ORDI—we recognized BRC-20’s innovation could reinvigorate the Bitcoin ecosystem and gain miner support.
How do you evaluate VC-backed coins versus community-driven coins? What are the differences between them?
Tommy:
From a business perspective, Bitget’s core goal is to offer users diverse asset options and investment opportunities under manageable risk. Some VC coins generate significant buzz at TGE, but upon evaluation, their concepts or tokenomic designs fail to justify their FDV. Yet, not listing them might draw user criticism—especially when retail and major clients expect us to provide access. Whether users buy them is their choice; we simply need to offer the option. For higher-market-cap tokens, we typically introduce perpetual contracts on the day of or the day after listing, allowing long and short positions.
Internally, flagship projects with massive traffic and huge upside potential receive S-tier status. Projects with strong traction and reputable backers but weaker product fundamentals or mediocre community engagement are downgraded to A-tier. While A-tier projects don’t get aggressive promotion like S-tier ones, they’re still deemed worthy of listing from an exchange standpoint.
How do you continuously monitor a project’s performance and risks post-listing?
Lisa:
Compared to comprehensive public chain audits or full smart contract reviews, during exchange listing evaluations, SlowMist focuses more on asset-specific security threats. Technical soundness is paramount. We examine source code security and ensure ongoing maintenance and updates. For example, we verify randomness sources for private key generation, ensuring cryptographically secure random number generators are used. We also validate cryptographic algorithms—confirming they're industry-reviewed and components are mature and reliable. Economic model risks, such as pyramid schemes or death spirals, are equally important. Team-related risks matter too—particularly whether special admin privileges exist or if tokens are overly centralized, increasing rug-pull or dump risks.
Exchanges are common hacker targets. Servers are usually placed behind firewalls, and core fund management systems are often air-gapped. However, because blockchain systems demand strict data integrity, malicious transactions can sometimes bypass perimeter defenses, leading to fake deposit attacks. Common fake deposit tactics include counterfeit coins—especially when exchanges have flaws in their logic for validating transfers of certain cryptocurrencies. Attackers craft fake deposit transactions that trick the exchange into crediting user accounts. Another method exploits Bitcoin’s Replace-by-Fee (RBF) feature: attackers replace earlier transactions with higher-fee versions, causing exchanges to misidentify confirmations and suffer financial loss.
It should be clarified that fake deposit attacks aren't blockchain vulnerabilities per se—they exploit specific features of blockchains to create malicious transaction patterns. To prevent such attacks, manual review processes help, especially for large or high-risk transactions. Additionally, securing external API interfaces through authentication and regular audits prevents unauthorized access and mitigates potential vulnerabilities.
Tommy:
Once a project is live, market reactions become faster. Internally, we immediately assess whether emergency delisting is necessary and take steps to protect users. We continuously monitor all listed tokens’ performance. Recently, we’ve intensified this oversight, and in the future, we may see more ST (Special Treatment) tokens.
If ST-listed tokens fail to improve fundamentals or liquidity within a set timeframe, we’ll consider delisting. Many projects perform poorly post-launch, and teams may abandon development—leading to deteriorating market depth. New users face large slippage when buying or selling, severely impacting user experience. We’re actively addressing this issue.
To mitigate token risks, most of our work happens pre-listing. During the first wave of Meme coin hype, Bitget rejected many high-risk meme tokens—for example, those with unfair distribution models, excessive team allocations, or falsified on-chain holder data. Even when projects offered listing fees, we refused to list them.
What typical on-chain security incidents has SlowMist handled?
Lisa:
Since inception, SlowMist has responded to numerous on-chain security incidents. Let me share two types: one involving project-level hacks, and another concerning individual user thefts.
The first is the 2021 Poly Network incident—one of the largest attacks at the time, involving $610 million. Around 8 PM, Poly Network announced they were under attack. By 9 PM, Tether froze part of the stolen USDT on the hacker’s address. Around 11 PM, we identified partial identity information and IP addresses linked to the attacker and began tracking fund flows. The next afternoon, the hacker began returning funds. This event was a milestone for SlowMist. From it, we developed a comprehensive emergency response and defense protocol—including rapid reaction and on-chain AML tracking—to minimize losses and lock down assets.
The second type involves personal account theft. In February this year, a user contacted us after being hacked. The attacker impersonated a journalist from a well-known media outlet, luring the victim into clicking a link embedded with malicious scripts, ultimately stealing account access and funds. After discovering the theft, the user reached out to us and publicly shared their story. We traced the stolen funds to an exchange and immediately coordinated with them to freeze the relevant account. Although legal proceedings were complex, after three-and-a-half months, the victim successfully recovered their assets. This marked the first case in Taiwan’s judicial history where authorities froze and returned funds without knowing the suspect’s identity—using forensic analysis and wallet ownership proof.
From these cases, I’d like to share some lessons. If you’re hacked, act quickly to limit damage and assess recovery options. Cancel authorizations if compromised; transfer remaining assets immediately if your private keys or seed phrase are exposed; if your PC is infected with malware, disconnect from the internet but don’t shut down—this preserves evidence for forensics. Change passwords stored on your device across platforms and switch wallets. Document the timeline and details of the incident, seek help from third-party security teams, and ask law enforcement for assistance once a report is filed. These steps are crucial for protecting your digital assets.
How can you determine whether a token contract or interaction is safe?
Lisa:
The simplest way is to check the code. But for non-technical users or beginners, learning about classic phishing and scam cases helps identify red flags and stay alert. Watch out for traps—like fake tokens that allow buying but not selling. Be wary of promises of extremely high returns, which usually come with high risk. Evaluate whether the team is transparent and includes known figures—this reduces the likelihood of encountering scams or exit scams. Also, verify whether the code has undergone professional security audits. It’s advisable to participate primarily in established projects—even if attacked, they often have compensation plans, offering better asset protection.
Tommy:
I think most retail users lack the ability or time to audit code themselves. The easiest approach is using trusted third-party tools like GoPlus, which supports many chains—especially EVM-compatible ones. Solana users can try RugCheck and gmgn ai to assess token risks. When trading on-chain, beware of tokens without published contracts or those reserving rights to modify trading taxes. Such permissions enable bad actors—for instance, raising sell tax to 99% or even 100% after a surge in capital inflow. That’s a common scam.
Additionally, non-custodial wallets like Bitget Wallet now include built-in risk alerts, warning users before interacting with high-risk tokens—very beginner-friendly. For those participating in DeFi yield farming, beyond well-known protocols, I also look at TVL. If a project’s TVL exceeds $50 million, I might consider joining—but check whether this comes from broad participation or just one or two large wallets. Large pools with tens of millions in TVL tend to resolve moral hazard issues more effectively even if problems arise.
What are your safety recommendations for retail and institutional users regarding on-chain operations?
Tommy:
For retail users, my advice is: First, always double-check website URLs for authenticity. Second, avoid unlimited token approvals and promptly revoke authorizations for small or lesser-known projects. If you’re not engaging in DeFi, consider using centralized exchanges with proof-of-reserves for simple wealth management. For Bitcoin holders, hardware wallets are a solid choice.
For institutional users, who generally understand security better, I still recommend using multi-signature wallets and enforcing strict permission controls. In case of a security incident, respond promptly—don’t ignore early warning signs, as minor issues can escalate. Hiring dedicated security professionals for audits and assessments is critical, including working with security firms to conduct penetration testing.
Lisa:
When discussing on-chain operations, wallet security is fundamental. Wallet breaches fall into three main categories: stolen private keys or seed phrases, phishing via signature authorization, and tampered destination addresses during transfers.
To prevent key/seed theft, avoid fake wallets. Many users download apps through search engine ads or third-party sites, exposing themselves to seed phrase theft. Malicious browser extensions can also steal authentication credentials and sensitive data. Only install extensions from trusted sources, use separate browsers for browsing and transaction signing, and regularly scan devices with antivirus software.
Phishing often occurs via blind signing—approving transactions without understanding the content. Users often assume offline signatures don’t go on-chain and cost no gas, so they lower their guard—only to lose funds. The traces of such fraudulent authorizations appear only in the attacker’s address, making detection difficult for victims.
The core of preventing on-chain risks lies in domain verification and signature clarity. Aim for “what you see is what you sign”—never blindly sign. If you don’t understand what you’re signing, abort the operation. Installing antivirus software, enabling two-factor authentication (2FA), and avoiding suspicious links further strengthen account security. Finally, learn from real cases to build awareness. Don’t act impulsively based on emotion—when in doubt, verify multiple times. I highly recommend reading *Self-Defense Manual for the Blockchain Dark Forest* by Yu Xian, founder of SlowMist.
What are common security risks in Memecoin trading?
Tommy:
For presale Memecoins, many traders rush in at launch using bots, custom scripts, or platforms like gmgn ai for sniping. However, project teams may delay launches for various reasons, leading many to accidentally buy fake tokens. These counterfeits often share the same ticker symbol and logo. By the time the real token launches, there may already be four or five fake versions ready to rug pull. Therefore, when joining high-hype presales, wait until the official contract is confirmed by the team—otherwise, fraud is likely.
Currently, standard expectations for Memecoins include renounced contract ownership, distributed holdings, and burned LP tokens. Meme traders are very strict about this—if insider pre-buying is suspected, others quickly lose interest.
Beyond these basics, I believe LP liquidity should be at least $300,000–$500,000 as a minimum threshold. Small pools carry extremely high rug risks and limited profit potential. Also, FDV at TGE shouldn’t be too high. If a Memecoin shows low on-chain volume and minimal social media discussion but boasts a FDV in the tens of millions, that’s highly suspicious.
Moreover, many Memecoin developers release not just one, but multiple tokens. If a developer previously launched several rug-pull Memecoins, the likelihood of repeating the pattern is high. Stay cautious with new projects from such developers.
Lisa:
Trading Memecoins on Ethereum vs. Solana involves different on-chain risks. On EVM chains, token creation is highly flexible—the logic is fully implemented by developers. On Solana, however, tokens are issued through official channels, resulting in differing risk profiles.
Common risks include malicious tokens and rug pulls. Some Memecoins gain popularity online, but users find they can’t sell—their addresses are blacklisted. These tokens enforce special transfer restrictions, trapping user funds. Other rug-pull tokens contain backdoor functions allowing unlimited minting or freezing user balances through privileged admin controls.
What new technologies and tools can help improve on-chain security?
Lisa:
Earlier, we mentioned Scam Sniffer—a highly effective anti-phishing browser extension that I personally use. Their authorization management tool is also recommended. Revoke.Cash is another classic tool for checking and revoking token approvals. Also, traditional antivirus software like AVG and Kaspersky remain reliable choices.
Besides authorization and phishing blockers, GoPlus is an excellent tool for detecting honeypot scams—I strongly recommend it. There are also device-level tools such as 1Password, a well-known password manager, and 2FA authenticators. Though backups are essential to avoid losing access, their security far surpasses single-factor logins.
I’d also highlight SlowMist’s MistTrack AML tracking system. We’ve released a Black U Detection Tool based on MistTrack—users can input an address to receive a risk score, helping identify and avoid money laundering exposure.
While these tools enhance security, none guarantee absolute safety. New versions may introduce bugs or even backdoors. So, I encourage independent thinking, practicing zero-trust principles, and continuous verification. Remember: there’s no such thing as perfect security—this mindset is vital.
Where else does the crypto industry need stronger security measures?
Lisa:
Security cannot be overlooked in crypto—one mistake can lead to million-dollar losses, crippling projects or bankrupting individuals. Every sector faces hacking threats. Due to the “security bucket effect,” overall resilience depends on the weakest link—whether users, project teams, or supply chains. No component can afford a security gap, as any single failure breaks the entire security loop. A combined approach of technical and human defenses is needed for systematic protection.
First, user awareness must improve. SlowMist offers a theft/fraud reporting form—users who’ve been scammed can submit details and receive free fund tracking and community-based risk assessment. From these reports, we’ve found many users lack basic security knowledge. They often ignore warnings and alerts, driven by FOMO, and remain unaware of common attack vectors.
Both project teams and individual users should understand prevalent attack methods and establish emergency response plans to quickly identify and contain issues when losses occur. At SlowMist, we spread security knowledge via *Self-Defense Manual for the Blockchain Dark Forest* and Twitter outreach, but many users focus solely on profits rather than learning about security. All stakeholders must collaborate to better safeguard user funds.
Recently, fake project team comments have flooded Twitter. Engineers from SpaceX introduced a new feature allowing users to disable links in replies—an effective measure that greatly reduces phishing risks. These are positive developments. We hope to see more such security-enhancing features emerge to help users defend against threats.
Tommy:
As an industry participant, user, and trader, I hope tooling products continue improving to reduce my security concerns. Ideally, these tools would alert me instantly when risks arise—or even block potentially dangerous actions automatically. This kind of user-friendly protection builds trust. I believe Web3 user experiences will eventually match, or even surpass, today’s Web2 standards.
Only when more outsiders can seamlessly enter the crypto space can the industry truly grow. Strengthening infrastructure not only protects users from risks but also improves onboarding experiences—preventing newcomers from developing negative perceptions due to scams.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
吴说区块链
