NFTGo Research

Posted on Oct 11, 2023Read on

NFTGo Web3 Builder Talk Episode 2 – SlowMist

Since 2018, SlowMist has utilized over a decade of network security expertise to safeguard the blockchain ecosystem. They've identified numerous high-risk vulnerabilities, earning widespread industry recognition.

With security threats mounting across Web3, users are rightly concerned. So we're excited to host SlowMist's security leaders to discuss blockchain safety. Join us in learning top insights to explore on-chain confidently.

Q: Please introduce SlowMist.

A: Hello everyone, SlowMist is a company that specializes in blockchain ecosystem security. Our blockchain ecosystem security capabilities consist of three layers: the innermost layer is compliance security, the second layer is technical security, and the outermost layer is ecosystem security. Technical security mainly includes two business lines: security audit and anti-money laundering. The security audit content includes smart contract code of DeFi projects, centralized exchanges, wallet apps, browser plug-in wallets, underlying public chains, and we also have Red Teaming testing service, which is one of our strengths.

From 2018 till now, for more than 5 years, we have served numerous well-known and leading clients in the industry, with thousands of commercial customers and high satisfaction rate. Regarding anti-money laundering, we have MistTrack, a blockchain-based tracking platform. In addition, we also pay great attention to compliance security, which is an important cornerstone for the long-term development of this industry. We have strict legal processes for the target projects of security audits or anti-money laundering cooperation. We know that security is a whole, and security protection requires a complete security system. Therefore, we provide an integrated and tailored security solution from threat discovery to threat defense.

Basically, it is a military-like circular defense system with layered defense. The outermost layer is threat discovery, which is to discover and identify threats through partners in the SlowMist zone and SlowMist’s own threat intelligence system (this is also part of our ecosystem security), and then issue warnings to the entire ecosystem through media channels. Threat defense refers to our defense system, from BTI (Blockchain Threat Intelligence System) to deploying tailored and systematic defense solutions, implementing cold, warm, and hot wallet security reinforcement, and selecting high-quality security solution providers in the fields of network security, risk control security, and wallet security for customers, allowing customers to flexibly choose and easily cope with various challenges encountered in the process of business development. We hope to work together with industry partners and the community to jointly build a security joint defense system.

Q: Web3 security issues are always unpredictable. Apart from some basic rules such as writing seed phrase by hand and paying attention to the authenticity of websites, does SlowMist have any security suggestions for Web3ers?

Answer: Since you've asked about security in interactions, let's first sort out how attacks typically steal users' assets.

Attackers generally steal user assets in two ways:

First, trick users into signing malicious transaction data that steals assets, such as tricking users into authorizing or transferring assets to attackers. Second, trick the user into entering the seed phrase of the wallet on a malicious website or app.

After we know how the attacker steals wallet assets, we must prevent possible risks:

a.Before signing, you must identify the signed data, know what the transaction you signed is for, carefully check whether the target of the signature is correct and whether the authorized amount is excessive.

b.Use hardware wallets as much as possible, because hardware wallets generally cannot directly export seed phrases or private keys, so the threshold for the private key of seed phrases to be stolen can be raised;

c.Various phishing techniques and incidents emerge in endlessly. Users should learn to identify various phishing techniques by themselves, improve security awareness, conduct self-education to avoid being cheated, and master self-rescue skills. For instance, stay updated on media coverage from security companies like SlowMist to learn about the latest scams or phishing techniques. Additionally, we highly recommend reading the "Blockchain dark forest selfguard handbook" published by SlowMist; it's full of valuable insights.

d.It is recommended that users maintain different wallets for various scenarios and keep the risk under control. For instance, it is recommended to store large amounts of assets that are not frequently used in a cold wallet, ensuring that the network and physical environments are secure. On the other hand, wallets that participate in activities such as airdrops should store smaller assets due to their high frequency of use. Managing the wallet hierarchically based on different assets and frequency of use can help to ensure that risks are manageable.

Q: On August 16th, @evilcos tweeted about the common misconception that Mac computers are safer than Windows computers. For Web3ers, what are SlowMist's opinions on the pros and cons of using Mac or Windows?

Answer: Yes, this tweet also caused a lot of discussion. On the other hand, when we ask from the opposite perspective "Where does the misconception that Win is more secure than Mac come from?" It's a similar angle and answer.

From the perspective of single-system intrusion prevention, Mac's closed system and strict control over permissions are indeed better than Windows. Additionally, due to the low global market share of Mac and the high market share of Windows, more attacks occur on Windows. Since the birth of Windows, various attack surfaces have become too mature.

It is an exaggeration to say that 99% of the current security personnel who do infiltration, intrusion, and APT will not target Mac. On the contrary, 100% of them will target Windows. Setting aside the above, if a Trojan horse that has been bypassing anti-virus software is used to attack both Mac and Windows, the results are basically the same, and both will be infected.

In general, half of the responsibility for computer security lies with the equipment, while the other half lies with the user. If the user lacks sufficient awareness, the computer can easily be infected with malicious programs, which can then lead to the theft of sensitive data (such as seed phrase).

Malware can behave in many different ways, such as hiding in email attachments or monitoring the device's camera. It is recommended that users increase their security awareness, for example, by not easily downloading and running programs provided by strangers on the internet, only downloading applications, software, or media files from trusted sites; not easily opening attachments from unfamiliar emails; regularly updating the operating system and obtaining the latest security protection; and installing anti-virus software such as Kaspersky on the device.

Q: Many projects have experienced cases of their "treasury funds" being stolen. SlowMist believes there are several common reasons that lead to security issues. Is there a significant possibility of self-embezzlement?

Answer: According to statistics from the SlowMist Hacked, as of August 24th, 2023, there have been a total of 253 security incidents in the blockchain industry, resulting in losses of up to $1.45 billion. There are several ways in which blockchain attacks occur, including phishing attacks, Trojan attacks, computing power attacks, smart contract attacks, infrastructure attacks, supply chain attacks, and internal fraud. In terms of smart contract attacks, some common methods include flash loan attacks, contract vulnerabilities, compatibility or architecture problems, as well as front-end malicious attacks and phishing targeting developers.

Speaking of embezzlement, we cannot avoid mentioning the leakage of private keys. The leakage of private keys depends on the situation, and the leakage of private keys of individuals and exchanges is very different. In general, personal private keys are leaked by storing them online, such as in WeChat favorites, 163 email, notes, Youdao notes, and other cloud storage services. Hackers often collect leaked account password databases on the Internet, such as plaintext account passwords from many years ago on CSDN, and then try to access these cloud storage and cloud service websites. The security community calls this "database cracking," which is probabilistic. If they successfully log in, they will look for Crypto-related content. The leakage of exchange private keys is more complicated and is generally done by large hacker organizations that have the ability to break through the layers of security protection of exchanges and gradually invade the hot wallet private keys in the exchange server. It is illegal to do so, so we strongly advise against it.

We recommend that project teams find security companies to conduct security audits of their project codes as much as possible to improve the security level of the project. They can also release Bug Bounty to avoid security issues during the continuous operation and development of the project. We also recommend that project teams improve their internal management and technical mechanisms and increase asset protection by introducing multi-signature and zero-trust mechanisms.

Q: The term "cross-chain bridge" has been jokingly referred to as the "AKA hacker ATM." For active members of the web3 who may not have a strong technical background, what points should they pay attention to when using a cross-chain bridge?

Answer: Speaking of cross-chain bridges, firstly, cross-chain bridge operations are complex, with a large amount of code, making it susceptible to coding vulnerabilities during implementation. Secondly, the use of third-party components in the project is also a significant contributor to security vulnerabilities. Finally, the lack of a larger development community for cross-chain bridges means that the code may not be extensively and thoroughly reviewed to uncover potential bugs.

For users, it's important to understand how your funds are protected when using a cross-chain bridge. You can assess the risk level of a cross-chain bridge from various perspectives, such as:

  • Is the project contract open-source?

  • Has the project undergone multi-party security audits?

  • What is the private key management scheme - is it based on MPC (Multi-Party Computation), multi-node multisignature, or is the private key centrally managed by the project team?

When choosing a cross-chain bridge, users should also opt for those backed by teams with strong security capabilities. First and foremost, the code should undergo security audits of all versions. Additionally, the team should have dedicated security personnel. It is also advisable for cross-chain bridge teams to operate in a transparent manner, which allows them to receive user inquiries and suggestions more effectively and address any issues promptly.

Q: In addition to some common scams and phishing attacks, could SlowMist provide some examples of less common but equally concerning cases?

Answer: We have previously disclosed a case where attackers exploited vulnerabilities in WalletConnect within Web3 wallets to increase the success rate of their phishing attacks. Specifically, some Web3 wallets that support WalletConnect did not restrict the location of WalletConnect pop-up transaction confirmation windows; instead, they allowed these windows to pop up on any interface within the wallet. Attackers took advantage of this loophole. They would guide users to connect to phishing websites using WalletConnect and continually generate malicious eth_sign signature requests.

When users recognized the potential risk of eth_sign and declined the signature request, the phishing website, due to WalletConnect's use of the wss protocol for connection, would continue to send malicious eth_sign signature requests.

As a result, users were more likely to mistakenly click the sign button, leading to asset theft. In fact, as long as users leave or close the DApp browser, the WalletConnect connection should be suspended. Otherwise, sudden signature requests while using the wallet can easily cause confusion and increase the risk of theft.

Additionally, I would like to emphasize eth_sign once again. Eth_sign is an open signature method that has been frequently used by attackers for phishing attacks in the past two years. Eth_sign allows signing of any hash value, including signatures for any transaction or data, posing a potential risk of network phishing. Therefore, when signing or logging in, please carefully check the application or website you are using and avoid entering passwords or signing transactions in unclear situations. Refusing blind signing can mitigate many security risks.

Q: Can you share the most profound security incident that SlowMist has encountered during its many years of involvement in blockchain security?

Answer: One of the most memorable incidents in recent years was the Poly Network attack in 2021. As soon as the attack occurred on the evening of August 10th, we closely monitored the situation and began analyzing the attack process, tracking the flow of funds, and estimating the losses. It felt like being on the front lines of the incident. The total loss amounted to $610 million, which was considered exceptionally large for a security breach at the time.

Our team promptly released an analysis of the attack, along with information about the attacker's IP identity, in the early hours of August 11th. By the afternoon of the same day, under significant pressure, the hacker began returning the stolen assets. Some of the hacker's remarks on blockchain during this incident were quite intriguing. The whole process was a great achievement for us as a security company.

Q: Finally, here's an interesting question. With the continuous evolution of new technologies like formal verification and AI auditing, how does SlowMist view the development of these new technologies?

Answer: When it comes to new technologies, such as ChatGPT improving efficiency in traditional text-related tasks or CodeGPT enhancing code-writing efficiency, we have internally experimented with using historically common vulnerability code as test cases to assess GPT's ability to detect basic vulnerabilities. Our test results showed that GPT models perform reasonably well in detecting simple vulnerability code blocks, but they struggle with slightly more complex vulnerability code and currently cannot detect them. Moreover, during testing, we observed that GPT-4(Web) has high overall contextual readability and produces clear output formats.

GPT has some advantages in detecting basic, simple vulnerabilities in contract code and provides explanations of vulnerability issues with high readability. This feature is suitable for providing quick guidance and simple answers to novice contract auditors. However, there are also some drawbacks. For instance, GPT's output can exhibit some variability in each conversation, which can be adjusted through API interface parameters but remains non-constant. While this variability is useful for natural language dialogue, it can pose challenges for code analysis work. To cover multiple possible answers from AI, we often need to make multiple requests for the same question and compare and filter the responses, inadvertently increasing workload, which contradicts the primary goal of AI-assisted human efficiency improvement.

Furthermore, when it comes to detecting slightly more complex vulnerabilities, we find that the current (as of March 16, 2024) training models cannot correctly analyze and identify critical vulnerability points. While GPT's capabilities for analyzing and discovering contract vulnerabilities are relatively limited at the moment, its ability to analyzesmall program code blocks for common vulnerabilities and generate report text is still exciting to users. With the foreseeable future of continued training and development of GPT and other AI models, we believe that faster, smarter, and more comprehensive assistance in auditing large and complex contracts will be achieved.


We extend our heartfelt gratitude to the SlowMist team for their insightful responses. Where there is light, there is shadow, the blockchain industry is no exception. It is thanks to the presence of blockchain security companies like SlowMist that even the darkest corners can be illuminated. We believe that with further development, the blockchain industry will become more standardized, and we eagerly anticipate the future growth of SlowMist.

We look forward to seeing what's next for them and how their plans unfold in the years ahead. Stay tuned for our next engaging conversation with another prominent Web3 leader.