Table of Contents
Toggle
Playing MEME is an Adventure
Q1: Real Cases of MEME Risks Happening Around Us
Q2: Common Risks on EVM Chains and Solana Network when Trading MEME
Q3: Dimensions or Tools to Filter High-Risk MEME Projects
Q4: What are the Limitations or Risks of Launchpad Platforms and DEX as early circulation places for MEME tokens?
Q5: Following up, does Telegram Bot represent one of the practical performances of intent interaction in the field of cryptocurrency, does this represent the development trend of future DEX?
Q6: Security risks currently existing in high-frequency tools, such as various TG BOT bots
Q7: User’s Misunderstandings and Risk Prevention in Trading MEME
Rug Pull, Pixiu Pan, Crush, Sandwich… Many traps lie ahead
I have always been a brave adventurer, until my knee took an “arrow”
This issue is the Security Special Issue 02, and we have invited well-known security institutions CertiK and OKX Web3 team to share common MEME trading security risks and preventive measures from the perspective of practical guidelines, hoping to provide assistance to MEME users.
Advertisement – Continue reading below
CertiK Security Team: CertiK was founded by two professors from Yale University and Columbia University. It uses the most advanced formal verification technology, AI audit technology, and security expert manual audit to scan and monitor blockchain protocols and smart contracts to ensure their security. So far, CertiK has obtained recognition from over 4,000 corporate clients, discovered nearly 70,000 code vulnerabilities, and protected over $400 billion in digital assets from loss.
OKX Web3 Wallet Security Team: Hello everyone, we are very happy to share this session. The OKX Web3 Wallet Security Team is mainly responsible for the security construction of the OKX Web3 Wallet, providing multiple protection services such as product security, user security, and transaction security. While guarding the security of users’ wallets 24/7, we also contribute to maintaining the security ecology of the entire blockchain.
OKX Web3 Wallet Security Team: There are many types of risk cases. We have selected several classic cases that users encountered when trading MEME:
Case 1: Pixiu Pan
User A saw a highly discussed MEME on Twitter and found the token address in the comments of the MEME tweet. After checking the transaction data of the MEME, User A found that its performance was good, so he decided to buy it. As the price of the MEME kept rising, User A wanted to sell and lock in profits, but he was unable to sell. After our team investigated, we found that the MEME token was a Pixiu Pan, and User A’s address was blacklisted, preventing him from selling.
Case 2: Malicious Rug Pull
User B often posts and participates in activities in a Telegram community, and is added as a contact by many group members. One day, a group member privately messaged User B and recommended a MEME project to him, claiming that the project was extremely popular and had great potential. Immediately after, the member provided the token address for the MEME. User B was intrigued and checked the MEME token’s liquidity LP on a data analysis tool, and found that the liquidity had been burned and there were no large whale holdings, leading him to believe that the MEME project was reliable. He decided to buy it. However, the next day, User B suddenly discovered that the liquidity of the MEME project had been exhausted. After our team investigated, we found that the token was a malicious Rug Pull token with a backdoor logic that allowed for the issuance of a large number of tokens.
There are endless risk cases happening to MEME users. We hope that through the following discussion, we can provide some security reference guidelines for users. This does not constitute any investment advice, but is only for learning and communication purposes.
CertiK Security Team: MEME risks can be divided into two categories: on-chain risk scenarios and general risks unrelated to blockchain technology.
Before introducing specific on-chain risk scenarios, let’s first talk about general risks. These mainly include extremely low token issuance costs, easily manipulable token prices, highly centralized projects, high trading slippage and Rugpull scams.
1. Extremely low token issuance costs
Generally, the technical development effort for launching a MEME project is very low or even nonexistent, resulting in the emergence of one-click token creation tools like PandaTool. Due to the extremely low development costs, project insiders and early investors can obtain tokens at a very low cost. Combined with the lack of actual fundamentals for MEME projects, once the market is no longer in a “FOMO” (Fear of Missing Out) state, these low-cost tokens will be quickly sold off, resulting in significant losses for later investors.
2. Easily manipulable token prices
MEME prices are easily manipulated. On the one hand, this is due to the lack of substantial technical support, intrinsic value, and low entry barriers for token creation and issuance in the MEME space, resulting in a flood of highly speculative coins in the market.
At the same time, MEME prices usually rely on social media and online hype to drive their prices. These factors are easily manipulated by large holders or organized groups. These speculators can manipulate prices by buying or selling large amounts, creating false information and market noise, causing price volatility, and attracting more retail investors to chase the price up or down, further exacerbating the possibility of price manipulation.
3. Highly centralized projects
MEME projects usually lack decentralized governance mechanisms, and decision-making power is concentrated in the hands of a few developers and core teams, making the direction and management of the projects susceptible to personal interests, increasing the risks for investors. Based on centralized decision-making power, there may also be risks of centralized control over token contracts and procedures, token ownership, and liquidity control.
4. High trading slippage
MEME trading often incurs high slippage, primarily due to poor liquidity. Due to the relatively small number of participants trading MEME and insufficient trading volume, there is a large spread (i.e., the difference between the buy and sell prices), which increases transaction costs. In addition, MEME coins with low liquidity are prone to significant price fluctuations during large trades, further increasing trading risks and costs. Investors often have to bear higher slippage and larger price impacts when buying or selling, resulting in low trading efficiency and increased trading costs.
The second reason is attributed to the “transaction tax” mechanism. Many MEME projects charge a certain percentage of transaction tax on each transaction to incentivize investors to hold or support the project’s funds. However, this transaction tax increases transaction costs, making frequent trading more expensive. Traders need to pay additional fees with each buy or sell, exacerbating trading slippage and reducing liquidity. When trading MEME, investors have to bear higher costs and risks.
5. Rugpull scams
MEME is prone to being targeted by Rugpull scams due to its high anonymity, lack of transparency, and regulation. Here are several common Rugpull methods and their manifestations:
1) Liquidity Pull:
Method: The development team creates a liquidity pool on a decentralized exchange (DEX) and adds tokens and mainstream cryptocurrencies (such as ETH, USDT, etc.) to the pool. After attracting enough investors, the development team suddenly withdraws all liquidity, making the tokens untradeable.
Manifestation: Investors find that they cannot sell the tokens, and the token price quickly drops to zero, with almost no funds remaining in the liquidity pool.
2) Developer Dumping:
Method: The project team or early holders hold a large number of tokens and, when market demand is artificially inflated, they quickly sell most or all of their tokens, causing the price to plummet.
Manifestation: Large sell orders appear in the trading records, the token price sharply drops, market confidence collapses, and trading volume rapidly decreases.
3) Fake Projects:
Method: Malicious actors create a fake MEME project, fabricating false visions and roadmaps, and attracting investors through social media and celebrity endorsements. Once they raise enough funds, they shut down the project and abscond with the funds.
Manifestation: The project website and social media accounts suddenly disappear, the development team cannot be contacted, and the value of tokens in investors’ accounts rapidly depreciates.
4) Contract Exploits:
Method: The development team intentionally leaves backdoors or vulnerabilities in the smart contract, allowing them to manipulate the contract and steal investors’ funds under specific conditions.
Manifestation: Abnormal or sudden stoppage of token transactions, investors unable to transfer or sell tokens, large amounts of funds transferred to unknown accounts according to contract addresses.
5) Fake Forks:
Method: Claiming to upgrade or fork the original token, they ask holders to exchange the old tokens for new ones, but in reality, they collect and take possession of these old tokens.
Manifestation: The old tokens become worthless, and the so-called new tokens cannot be traded on any exchange, and the project team becomes unresponsive.
Next, let’s introduce the common on-chain risks when trading MEME on EVM chains and the Solana network. In order to facilitate a direct comparison of risk types, we will share them in the form of a table.
Image Source: CertiK Security Team
OKX Web3 Wallet Security Team: EVM chains and Solana are the preferred networks for users to trade MEME, and they have differences in terms of on-chain risk types, which are related to factors such as their token issuance mechanisms.
First, EVM chains. Due to the high degree of freedom in token issuance on EVM chains and the fact that token content is implemented by developers, the common on-chain risks when trading MEME on EVM chains include two main types:
(1) MEME with malicious logic
When there is a hot MEME in the market, various malicious tokens that falsely claim to be popular MEMEs will appear. These malicious tokens usually have good trading data, misleading users and causing them to trade into malicious tokens, resulting in losses. The currently common types of malicious tokens are primarily:
1) Pixiu Pan: Tokens that can only be bought and not sold. These malicious tokens typically set a 100% tax rate or have special transfer restriction logic, preventing users from selling their tokens.
2) Malicious Rug Pull tokens: Tokens with hidden inflation logic. These malicious tokens increase their supply through hidden inflation logic to deplete token liquidity.
(2) Malicious acts by project teams
Current malicious acts by project teams mainly include two types: abusing privileged functions and direct market manipulation.
1) Abusing privileged functions: Project teams use privileged functions such as mint function to inflate the token supply and manipulate the market.
2) Direct market manipulation: Project teams directly manipulate the market by dumping their holdings.
Second, the Solana chain. It should be noted that token issuance on the Solana network is done through official channels, so the common on-chain risks when trading MEME on the Solana chain mainly come from malicious acts by project teams.
(1) Abusing privileged functions
Project teams abuse privileged functions such as mint function to inflate the token supply and manipulate the market, or use freeze instructions to freeze user addresses, achieving a similar effect to Pixiu Pan by preventing users from selling.
(2) Direct market manipulation
Project teams directly manipulate the market by dumping their holdings. It is worth mentioning that some malicious MEME project teams bypass scrutiny by distributing holdings of tokens.
CertiK Security Team: This does not constitute any investment advice, but we will introduce several tools that we personally frequently use. These tools cannot filter risks 100% but can provide users with a reference to preliminarily judge if a MEME project has a high risk.
1) dune.com: A data analysis platform that allows users to customize queries to analyze and monitor on-chain data of tokens. It is flexible but relatively complex to use, requiring a certain learning curve.
2) Dextools.io: A token information integration platform that provides basic information about tokens such as market capitalization, liquidity, number of holders, token distribution, etc. It can also perform simple security risk screening.
3) Skyknight MemeScan: A new platform launched by CertiK, providing solutions to evaluate the security status of MEME. The platform provides real-time insights and on-chain behavior analysis, including contract minting analysis, trading control detection, ownership concentration analysis, liquidity control evaluation, etc.
OKX Web3 Wallet Security Team: There is no way or method that can filter risks 100%. However, from the perspective of token security and project health, we provide several dimensions that can preliminarily filter out MEME projects with extremely high risks. It should be noted that users cannot solely rely on these dimensions to judge the security of a project.1) Smart Contract Security: The existence of source code-level security issues can be verified through auxiliary tools. These tools can check for the presence of malicious logic in project code and identify security vulnerabilities in the code itself. In addition, the permission control of the contract should be evaluated to ensure that the contract owner’s permissions are not excessive, preventing them from arbitrarily minting or burning tokens.
2) Token Distribution and Holder Distribution: The distribution of token holders can be viewed through blockchain explorers to avoid projects with overly concentrated token holdings, as these projects are more susceptible to manipulation and have a higher risk of rug pulls.
3) Liquidity and Trading Activity: The trading volume and price volatility of tokens should be observed, as low trading volume and high volatility may indicate project instability or manipulation risks.
4) Community and Development Team Activity: It is important to assess whether the project team is transparent, including the background, experience, and social media activities of team members.
Currently, the OKX Web3 wallet provides users with the ability to filter risky tokens, filtering out tokens that may cause user damage from multiple aspects such as code security and transaction security. While providing token information in various dimensions, it ensures a secure trading experience for users.
CertiK Security Team: First, Launchpad platforms and DEXs must have strong technical support to handle the speed of MEME project transactions and the scale of transactions. In addition, liquidity is also crucial, and relevant platforms need to monitor any events that may affect liquidity security. Finally, regarding compliance risks of MEME, platform operators must understand and implement relevant regulatory policies and requirements to reduce potential legal risks.
OKX Web3 Wallet Security Team: Next, we will introduce the limitations and risks of the Launchpad platform and DEX separately.
For the Launchpad platform, it mainly includes three points:
First, the quality of projects launched on the platform varies. Although some Launchpad platforms conduct reviews and due diligence, there is still a possibility of not fully identifying high-risk or low-quality projects.
Second, there is a risk of fund management. Launchpad platforms usually centrally manage a large amount of user funds, and improper management or malicious misappropriation of these funds may lead to user fund losses. In addition, the platform may lack sufficient safeguards to protect user fund security.
Third, market manipulation. Project teams or large fund players may manipulate prices after the launch of the project on Launchpad, causing significant market fluctuations and affecting retail investors.
For DEXs, there are more limitations:
First, there is a lack of liquidity. Newly listed MEME tokens usually have poor liquidity on DEXs, which can lead to large slippage in transactions and significant price fluctuations.
Second, there are smart contract vulnerabilities. DEXs rely on smart contracts for transactions, and if these contracts have vulnerabilities, hackers may exploit them, leading to fund losses.
Third, there are high transaction fees, especially on networks like Ethereum, where transaction fees (Gas fees) can be very high, affecting the cost-effectiveness of small traders.
Fourth, there are malicious project teams. Anyone can deploy tokens and list them on DEXs, and some project teams may intentionally leave backdoor functions in the contracts, allowing them to manipulate token balances or prevent users from selling tokens.
Fifth, there are user experience issues. DEX operations are relatively complex for ordinary users and involve wallet connections, Gas fee settings, etc., which may result in a less user-friendly experience compared to centralized exchanges (CEXs).
CertiK Security Team: Telegram bot brings significant potential for simplifying the threshold for trading and automating certain steps in cryptocurrency transactions, making it more convenient for non-professional users to engage in cryptocurrency trading. However, specific security risks of these bots must be carefully considered. It is recommended to conduct comprehensive security due diligence on any third-party dApps that interact with wallets to ensure their security.
OKX Web3 Wallet Security Team: Telegram bots demonstrate great potential for intent-based interaction in the cryptocurrency field. This trend is expected to drive the future development of decentralized exchanges (DEXs) through optimized user experience, enhanced transaction convenience, security, expanded financial service ecosystems, and technological innovation.
1) Enhancing User Experience
Simplified operations: Telegram bots enable users to trade with simple chat commands through natural language processing, simplifying complex operational processes.
Automated trading: Users can set up automated trading rules, such as stop-loss points and take-profit points, reducing the risks and time costs of manual operations.
2) Enhancing Decentralized Trading
Seamless integration: Bots integrate with DEXs through API interfaces, hiding complex trading operations and reducing user learning costs.
Real-time operations: Bots can monitor market dynamics in real-time and notify users promptly, enabling them to make quick trading decisions and execute transactions.
3) Improving Security
Smart contracts: Bots utilize smart contracts to ensure transparency and security in transactions, reducing the possibilities of human intervention and fraud.
Decentralization: Although bots may be centralized, actual transactions are conducted in a decentralized environment, enhancing transaction security and transparency.
4) Expanding the Ecosystem
Multi-functional platform: Telegram bots are not limited to trading but can also expand to financial services such as asset management, lending, and collateralization, providing comprehensive financial solutions.
Enhanced community interaction: Bots can facilitate user communication and community building through the Telegram platform, increasing user engagement.
5) Technological and Market Drivers
Innovation-driven: Advancements in artificial intelligence and blockchain technology will make bots increasingly intelligent and efficient, driving the emergence of more decentralized applications and services.
Market acceptance: User demand for simplified and automated services is growing, driving more DEXs to adopt bot services to enhance competitiveness.
CertiK Security Team: With the development of the cryptocurrency market, Telegram bot usage in trading and information retrieval is becoming increasingly common. However, these frequently used tools also bring significant security risks. Users should pay special attention to the following aspects when using them.
First, many Telegram bots have not undergone security audits or code disclosures, which may contain malicious code or vulnerabilities. These malicious bots may steal users’ private keys, identity information, or other sensitive data. Additionally, malicious bots may impersonate legitimate services and induce users to enter their private keys or mnemonic phrases, leading to fund theft. Therefore, users should ensure that they only use officially recommended or verified bots and avoid clicking on unfamiliar links or entering sensitive information.
Second, certain bots may require excessive permissions, such as accessing users’ contacts, files, or other private information. Users should be cautious in granting permissions, ensuring that bots only have the minimum necessary permissions for their proper operation. Additionally, communication between bots and Telegram servers may be intercepted by man-in-the-middle attacks, leading to data leaks or tampering. Users should ensure the use of bots with encrypted communication and check the implementation of their security communication protocols.
Third, many Telegram bots provide automated trading functions, but if there are logical flaws in the trading logic of these bots, it may result in severe financial losses. Users should conduct thorough testing before using such functions and monitor trading behavior to prevent abnormal situations. Furthermore, bot developers may collect and store a large amount of user data, and once this data is leaked or abused, user privacy will be severely threatened. Users should choose bots with good reputations and privacy policies and regularly check their privacy protection measures.
Finally, excessive reliance on certain bots for trading or asset management may result in the inability to perform normal operations when the bot service is interrupted or closed. Therefore, users should avoid excessive reliance on a single bot and prepare backup plans. By understanding and preventing these risks, users can use Telegram bots more safely and protect their assets and privacy.
OKX Web3 Wallet Security Team: Similar to TG bots, Telegram bots provide convenient services but also bring significant risks and vulnerabilities. Next, we will provide examples.
First, there is a risk of centralized custody of private keys. Most Telegram bots require users to custody their private keys, making it easier for active signing and sending of transactions. This means that users’ private keys are stored on third-party servers, increasing the risk of theft or misuse.
Second, there is a phishing risk. Phishing links sent through Telegram bots may trick users into clicking on them, leading to the theft of account information or private keys. Additionally, artificial inducement in chat windows (such as impersonating customer service) may deceive users into providing their mnemonic phrases or other sensitive information.
Third, there is a risk of malware. Some bots may infect users’ devices through the distribution of malicious software (malware) or malicious SDKs, jeopardizing the security of the entire system.
In conclusion, users need to exercise caution when using various Telegram bots, avoid clicking on unfamiliar links, and refrain from disclosing their private keys.
CertiK Security Team: First, for any dApp that interacts with your wallet, including trading platforms and Telegram bots, users should conduct security due diligence. Choosing dApps that have undergone security audits can reduce the risk of attacks during operations and ensure the security of private keys and identity information. Currently, CertiK offers penetration testing services for dApps to help reduce risks.
Second, MEME’s trading heavily relies on transaction response speed and frequency. Therefore, it is important to choose a stable and reasonably priced platform. When conducting transactions, users should choose platforms that are secure, stable, fast, and have lower transaction fees to obtain a better trading experience. For example, the MemeScan platform launched by CertiK can provide real-time security status information, including on-chain behavior analysis of MEME. For example, whether the contract can mint new coins, whether trading can be paused or restricted, whether a small number of addresses control a majority of tokens, and whether a small number of addresses control a majority of liquidity. We hope this can provide some help for users’ secure trading.
OKX Web3 Wallet Security Team: When it comes to MEME trading, users need to be aware of safe operations and risk prevention to ensure the correctness and security of transactions.
First, choose the right trading platform. Users should choose reputable and highly secure cryptocurrency exchanges, and try to avoid using unverified or unknown platforms, which may pose a risk of asset theft. For on-chain transactions, it is necessary to confirm the official website of the project and the correctness of the contract.
Second, enable higher security authentication methods. To enhance security, users can enable two-factor authentication in all trading platforms and wallets, using Google Authenticator or other secure applications. It is advisable to avoid using SMS verification, as it is vulnerable to SIM card swapping attacks.
Third, use wallets with high security. Users should use verified wallets for transactions and ensure secure backup of mnemonic phrases or private keys, storing them in a secure place and avoiding electronic backups. Failure to backup private keys or mnemonic phrases may result in the inability to recover assets in the event of device loss or damage.
Fourth, guard against phishing attacks. Users need to verify the URLs used for transactions and ensure that they are official links. When encountering issues, users should ensure that they contact official customer support and disregard private messages in Telegram, Discord, and other group chats. Never click on links from unknown sources or sign signatures and display private keys without knowing the content.
Fifth, ensure a secure network environment. Users should conduct operations on trusted operating systems and avoid using public Wi-Fi networks.
Lastly, thank you for reading the 2nd issue of the OKX Web3 Wallet “Security Special”. We are currently busy preparing the content for the 3rd issue, which will include real-life cases, risk identification, and practical security operations. Stay tuned!
Disclaimer:
This article is for reference only and does not intend to provide (i) investment advice or investment recommendations; (ii) offers or solicitations to purchase, sell, or hold digital assets; or (iii) financial, accounting, legal, or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks and may experience significant volatility or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for your financial situation. Please take responsibility for understanding and complying with applicable local laws and regulations.
CertiK
MEME
OKX
Further Reading:
Platypus Hacker Acquitted of Stealing £8.5 Million: Using Flawed Smart Contracts Does Not Constitute Fraud
Ethereum Developers Propose ERC-7512 New Standard for Chain-Verified Protocol Audit Information!