A Conversation with SlowMist: A Pitfall Avoidance Guide for Web3 Startup Teams

In this episode, we're honored to have Lisa, Head of Operations at SlowMist, a globally renowned blockchain security company. A dedicated expert in Web3 security, Lisa has led on-chain tracking and analysis, security incident response, and authored the "Blockchain Crypto Asset Tracking Handbook." She possesses deep insights into Web3 attack vectors and startup security strategies. Today, we'll discuss the theme of "Focus on Web3 Security: Attack Vectors, Pitfalls, and Industry Opportunities," breaking down common security risks with Lisa and discussing how to build a strong security defense for startups. (The audio transcript has been processed by AI and may contain omissions and errors.) Lisa, Head of Security Operations at SlowMist, has been deeply involved in Web3 security for many years. She is responsible for SlowMist's internal and external collaboration and the implementation of security achievements. She coordinates emergency response to security incidents internally (e.g., collaboration between product, business, and tracking teams) and leads the promotion and brand building of security research results externally. She also specializes in on-chain tracking and analysis, authoring the "Blockchain Crypto Asset Tracking Handbook" and participating in the emergency response of many major global Web3 security incidents (e.g., asset tracking and cross-platform collaborative stop-loss). Founded in 2018, SlowMist, a blockchain security company, positions itself as a "safe zone in the dark forest of blockchain" and has built a full-process security service system covering "pre-security audits, real-time monitoring, and post-event emergency response." Its white hat community, the "SlowMist Zone," boasts over 200,000 members, making it a highly influential security service organization in the industry. Q1: As a world-renowned blockchain security company, what are SlowMist's main business areas? Wang Lei: SlowMist has a wide influence in the Web3 security field. What are its main business areas? Can you share with us? Lisa: Since its establishment in 2018, SlowMist has been focusing on the Web3 security niche, providing services centered around the entire "threat discovery - threat defense" process, rather than a single point service. The name "SlowMist" comes from the "SlowMist Zone" in the novel "The Three-Body Problem." The blockchain industry is like a "dark forest," with frequent attacks. SlowMist hopes to become the industry's "safe zone." We have also established a white hat community, the "SlowMist Zone" (with over 200,000 members), which also integrates the concept of "The Three-Body Problem."

The specific business is divided into three links:

• Pre-threat discovery:The core is to avoid risks in advance, including security audit services (smart contracts, project architecture audits), security training (security awareness and operation training for the team), and red team testing (penetration testing that simulates hacker attacks);

• Real-time monitoring during the process:Focus on chain dynamics and risk warnings, such as real-time monitoring of abnormal transactions on the chain and anti-money laundering monitoring (identifying the flow of dirty money/black money) to ensure that risks can be detected at the first time when they occur;

• Lisa: While attack methods have been diverse and rapidly evolving in recent years, four typical types have emerged frequently. The core risks include both technical vulnerabilities and a lack of security awareness:

  • Contract vulnerability attacks: Smart contracts cannot be tampered with once launched and are often open source. Hackers often target large companies or cross-chain bridges (with large losses often exceeding hundreds of millions). Common vulnerabilities include "flash loan attacks" (exploiting the flash loan mechanism to amplify the impact of a vulnerability) and "overpowered permissions" (an imbalance in administrator privileges allows hackers to directly control assets). The core of these attacks is the failure to address technical vulnerabilities in advance.

  • Private key leaks: These attacks fall into two categories: individual and project-wide. Leakage of project administrator private keys is often caused by phishing or Trojans (downloading malware that steals private keys). Personal private key leaks are often caused by improper storage (such as WeChat favorites, cloud documents, or address book storage) or downloading fake wallets (Baidu search engines were initially full of fake wallets, but SlowMist and Baidu later jointly eliminated them). Social engineering attacks: These attacks are highly covert, with hackers often impersonating acquaintances, celebrities, or journalists, using the power of trust to gain information. For example, impersonating journalists interviewing influential figures, sending "interview links" containing malicious scripts to trick users into clicking on them and stealing their accounts and assets. Alternatively, hackers may post phishing links on Twitter, allowing users to authorize and then steal their assets. These attacks rely on exploiting trust and breaking through psychological barriers. Supply chain attacks: Cases have surged in recent years, with hackers inserting malicious code into development tools, third-party libraries, and code pipelines, contaminating developers' devices or project code. For example, some time ago, a well-known developer downloaded a Trojan from a fake account, causing problems with the "wallet with over 1 billion downloads" they managed. This not only compromised sensitive information but also stole assets—this type of attack has a wide impact and is difficult to detect in advance.

  Summary of Core Risk Points: Technical vulnerabilities can be mitigated through audits, but lack of security awareness (such as trusting strangers, misusing private keys, and clicking on unknown links) is a more difficult problem to address, requiring continuous learning of the latest attack methods (SlowMist will regularly publish on its official account and Twitter).

  Q3: Can you share two typical security cases in which SlowMist was deeply involved? What warnings does this bring to practitioners?

  Wang Lei: Can you share two security cases in which SlowMist was deeply involved, so that our livestreamers can gain inspiration from them? Lisa: I've chosen two cases from different stages, both of which SlowMist participated in throughout, to illustrate the core logic of security incident handling: The first is a 2022 social engineering attack recovery case: A hacker disguised themselves as a journalist to interview a Web3 influencer, sending them an "interview link" containing a malicious script. After clicking on it, the influencer's account and assets were stolen. They immediately sought help on Twitter and tagged SlowMist. We first conducted on-chain analysis and discovered that the stolen assets had flowed into an exchange, a partner of SlowMist's Threat Intelligence Network. Through cross-platform collaboration, the exchange froze the suspicious funds within 24 hours. We subsequently assisted the influencer in filing a case in Taiwan, ultimately recovering all the assets within three days. This case is particularly significant: it is the first in Taiwanese judicial history to complete asset return solely through on-chain tracing without a clear suspect. The warning is: when receiving requests for "interviews" or "collaboration," you must verify the identity of the other party, avoid clicking on unknown links, and contact security agencies (such as SlowMist) immediately after a theft. The speed of response directly affects the recovery of assets. The second case is the $8 million platform hack in 2023: A Web3 platform was hacked, resulting in losses exceeding $8 million. SlowMist was contacted to initiate an emergency response. Our first step was on-chain analysis to identify the hacker's traces (attack methods, fund flows, and commonly used platforms). Our second step was to coordinate with global exchanges and wallets to freeze the hacker's associated accounts to prevent the funds from flowing into mixing platforms (once such platforms are involved, recovery becomes significantly more difficult). Our third step was to assist the project owner in an on-chain negotiation with the hacker. After multiple rounds of communication, the entire $8 million was recovered within three days. This case serves as a warning: Most stolen assets are difficult to recover, but "cross-platform collaboration" and "rapid response" are key. Relying solely on the project owner or security agencies isn't enough; exchanges, wallets, and legal authorities must work together. Furthermore, a post-incident review is crucial to avoid repeating the same issue (e.g., fixing vulnerabilities and strengthening monitoring). The common warning from both cases is: Don't assume "security incidents won't happen to you." Conducting audits in advance, storing private keys securely, and responding quickly after a theft are the core protection strategies. Q4: When a security incident occurs, how does the SlowMist team typically intervene and provide emergency response services? Wang Lei: When a security incident occurs, how does the SlowMist team typically intervene, and what specific assistance does it provide?

  Lisa: SlowMist intervened through "Security Emergency Response Service". The core goal is to "quickly stop loss, minimize loss, and restore the truth of the incident". The process is divided into four steps:

  • Step 1: Emergency Stop Loss (the most critical): First, do on-chain tracking to clarify the flow of stolen assets, contact exchanges, wallets, cross-chain platforms, etc. as soon as possible, and freeze/risk control suspicious funds - this step must be fast. Once the funds flow into a mixing platform or an overseas unregulated platform, the difficulty of recovering them will increase exponentially;

  • Step 2: On-site Protection: If hackers invade through servers or PCs, we will assist the project party in "on-site evidence collection" and even send a team to the project party for on-site analysis to ensure the integrity of the chain of evidence (such as not deleting traces of intrusion and retaining malicious code logs) to provide a basis for subsequent judicial intervention - There were cases where project employees were afraid of deleting traces, which made offline evidence collection difficult. This must be avoided;

  • Step 3: On-chain + off-chain joint analysis:On-chain analysis focuses on "fund flow, hacker portrait, and attack methods" (such as exchanges commonly used by hackers, wallet types, and sources of funds); off-chain analysis focuses on "identity tracing" (such as retrieving exchange KYC information, tracking Twitter/GitHub accounts associated with hackers, and analyzing posting traces). The two are combined to lock down hacker clues;

  • Step 4:Output a complete analysis report: Not only does it tell the project party "what happened, where the assets went, and the reason for the hack", it also provides "subsequent protection plans" (such as fixing vulnerabilities, upgrading monitoring, and strengthening private key management) to prevent similar incidents from happening again.

  The core of the entire process is  "high trust and collaboration between the project party and SlowMist"—if the project party conceals information or destroys evidence, the probability of stopping losses and recovering losses will be greatly reduced.

  Q5: Startup teams often prioritize security. What are the most overlooked security issues at different stages of development (startup/funding/launch)?

  Wang Lei: Many startup teams often prioritize security due to high pressure. What are the most overlooked security issues at different stages of development (startup/funding/launch)? Lisa: Security blind spots vary across different stages, but they can all lead to a "one-shot zero" scenario. They are as follows: 1. Startup Phase: A key issue is neglecting private key management and identity verification. For example, private keys are haphazardly stored in WeChat favorites, cloud documents, or kept by a single person (a leak can lead to the loss of all project assets). Furthermore, they are easily deceived by offers of partnerships or financing, downloading "project materials" (which are actually malware) sent by strangers, leading to device compromise. Startup teams and individual users have similar security blind spots: both are compelled to relax their vigilance in the rush to advance their projects. 2. Fundraising Phase: A key issue is neglecting code audit integrity and compliance risks. For example, to speed up financing, they release code that's "unaudited" or "vulnerable" directly online, taking risks with their projects. Some teams also seek audits simply to "request a report," neglecting the vulnerabilities discovered during the audit (SlowMist first conducts compliance and risk assessments and doesn't issue reports simply for payment). This can lead to post-funding hacks and capital losses due to vulnerabilities. 3. Launch Phase: A key neglect of "real-time monitoring" and "account security." For example, failing to conduct on-chain monitoring can lead to attacks being discovered hours later (missing the optimal time to stop losses). Alternatively, teams neglecting the security of community accounts on platforms like Twitter and Discord (e.g., using weak passwords or failing to enable two-factor authentication) can lead to phishing links being distributed after a compromised account, resulting in user asset losses. These issues can directly undermine user trust and are more devastating than project losses themselves. Essentially, startup teams' security blind spots stem from a cognitive bias: the belief that security is a cost, not an investment. However, the Web3 industry boasts transparency in its funding chain, and the cost of a single security incident far outweighs the cost of early security investments. Q6: For startup teams with limited budgets, which security investments should they prioritize? Wang Lei: If a startup team has a limited budget, which security investments should they prioritize for the best value? Lisa: When your budget is limited, prioritize investments that cover core risks. We recommend three cost-effective actions: 1. Conduct a complete security audit: Prioritize auditing smart contracts and core business architecture. This is key to avoiding pitfalls beforehand and can preemptively fix over 90% of technical vulnerabilities (such as permission vulnerabilities and logic vulnerabilities), preventing post-launch hacks. 2. Use a multi-signature wallet to manage funds: Avoid letting a single person hold private keys. Use a multi-signature wallet (which requires authorization from two or three people to transfer funds) to spread risk. Even if one person's private key is compromised, all assets will remain intact. Multi-signature wallets are low-cost and address the core risk of single-person private key custody. 3. Establishing basic real-time monitoring: You don't need to purchase a complex monitoring system. You can leverage open-source community tools (such as SlowMist's open-source on-chain monitoring script) or configure "abnormal transaction alerts" (e.g., triggering alerts for large transfers or transfers to unfamiliar addresses) to ensure immediate risk detection. Basic monitoring requires minimal investment but significantly improves in-process response speed. These three actions cover the core risks of "before and during" events. While requiring minimal investment, they can prevent potentially fatal losses, making them the optimal choice for teams with limited budgets. Q7: What security pitfalls are most common and costly for startups? Wang Lei: What security pitfalls are most common and costly for startups? Could you provide one or two examples?

  Lisa: There are two pitfalls that are "fatal" and startup teams fall into them frequently:

  1. Private key custody by one person + random storage: This is the most basic and most fatal pitfall. For example, a startup team stored the private key for their project wallet in the founder's WeChat account. After their phone was phished, the private key was leaked, leading to the theft of $2 million in assets overnight. This type of loss is nearly irreversible, as once the private key is compromised, ownership of the assets is immediately transferred, and blockchain transactions are irreversible. 2. Launching unaudited code: To meet deadlines, many teams release contracts that haven't been audited. For example, one team launched a DeFi project with an unfixed reentrancy vulnerability. Within three hours of the launch, hackers exploited the vulnerability and stole $1.5 million, effectively depleting all raised funds. This type of issue could have been avoided with an audit, but the team, in their rush to launch, ignored it, ultimately bringing the project to a halt. The commonality between these two pitfalls is that they appear minor but can be devastating. Private key management and code auditing are both "basic steps," but many teams find them "troublesome" or "unnecessary," ultimately losing out on the bigger picture.

  Q8: From SlowMist's perspective, what are the biggest challenges and opportunities in the current Web3 security industry?

  Wang Lei: As a security organization within the industry, what do you think are the biggest challenges and opportunities in the current Web3 security industry? Lisa: Challenges and opportunities coexist, as follows: Core Challenges 1. Professionalization and Transnationalization of Attacks: Hackers no longer operate as single individuals, but instead form specialized groups (such as the North Korean hacker group Lazarus and paid phishing template groups). They can mass-generate phishing links, develop malicious scripts, and operate across borders (funds flow across multiple countries, making them difficult to track). 2. Divergent Security Needs: Security awareness and technical expertise vary widely among project teams. Some teams don't even conduct basic audits, while others overly pursue "full protection," making it difficult to standardize security services. 3. Different regulatory policies: Different countries/regions have different regulatory requirements for Web3 security (such as the Hong Kong Stablecoin Ordinance and the EU's Anti-Money Laundering Rules). If project owners are unaware of local policies, they may be "stuck by regulations due to compliance issues without being hacked."

  Core Opportunities

  • Talent and Awareness Improvement: More and more young people (including college students) are paying attention to Web3 security. SlowMist is also collaborating with universities to conduct security training, and the industry's security talent pool is gradually increasing. At the same time, the security awareness of users and project owners is increasing - security is no longer seen as a "cost" but as a "moat." Projects with strong security management practices have higher user trust.

  • Normalized cross-platform collaboration: When major security incidents occur, industry collaboration becomes increasingly close. For example, after an exchange is hacked, institutions like Binance and Tether proactively implement on-chain risk control and assist in freezing funds. SlowMist's Threat Intelligence Network also collaborates with over 50 exchanges and wallets worldwide, enabling rapid response to cross-border security incidents. This industry collaboration significantly improves the efficiency of stop-loss measures. New Possibilities of Technological Integration: Technologies like AI and big data offer new tools for Web3 security (e.g., AI identifying unusual transactions and big data analysis of on-chain risks). While these tools carry the risk of being exploited by hackers (e.g., AI-generated phishing videos), they can overall improve the efficiency and accuracy of security measures. The core of this opportunity lies in "strengthening industry consensus": As security incidents increase, more and more institutions realize that they cannot defend themselves alone and require a collaborative defense system comprised of security organizations, project owners, regulators, and users. This is SlowMist's core focus going forward.

    Q9: When domestic entrepreneurial teams go overseas, what are the points that they need to pay special attention to regarding cross-border compliance and security?

    Wang Lei:Many domestic entrepreneurial teams go overseas, which involves cross-border compliance and security. What are the points that they need to pay special attention to?

    Lisa: The security of going overseas is not only about "technical security", but also about "compliance security". SlowMist divides it into three major circles: "technical security, compliance security, and ecological security", none of which can be ignored:

    1. Prioritize local compliance requirements: Different regions have different regulatory priorities. For example, Hong Kong requires stablecoin issuers to meet "capital adequacy ratio, anti-money laundering" and other rules, the EU focuses on "data privacy (GDPR)", and the United States has strict supervision on "cross-border asset flows" - if compliance is ignored, you may not be attacked by hackers, but your assets may be frozen or the project may be stopped by local regulators due to "non-compliance";

    2. Adapt to local KYC and anti-money laundering regulations: Overseas projects often serve users in multiple regions and need to perform KYC according to local requirements (such as Hong Kong requires real-name authentication, and some regions require address verification). At the same time, an anti-money laundering monitoring system should be established to identify the flow of cross-border dirty money. This is not only a compliance requirement but also key to avoiding being implicated in theft.

    3. Technical security must adapt to the local ecosystem: For example, certain regions often use specific wallets or exchanges. Project owners must assess the security levels of these platforms in advance to avoid collateral damage due to vulnerabilities in their partner platforms. At the same time, optimize private key management solutions based on local user habits (for example, users in some regions rely more on hardware wallets, requiring adaptation to relevant interfaces).

    Core Recommendation: Treat "compliance and security" as a "ticket" for global expansion. Research the regulatory policies of target regions 6-12 months in advance. Collaborate with local security and legal agencies (such as SlowMist's collaboration with the Hong Kong Digital Asset Anti-Money Laundering Committee) to avoid compliance pitfalls—technical security can be fixed, but compliance issues are more difficult to eliminate in the long term.

    Q10: What are the possibilities for integrating AI, big data, and Web3 security? What security risks exist with Web3 Agent tools? Wang Lei: What are the possibilities for combining AI, big data, and Web3 security? In addition, a partner asked, "What are the security risks of the Web3 Agent tool?" I'd also like to hear your response.

    Lisa: Let's first talk about the combination of AI, big data and Web3 security. The core is a "double-edged sword":

    Positive possibilities

    1. Improve protection efficiency: AI can quickly identify abnormal transaction patterns on the chain (such as batch small transfers, high-frequency interactions with unfamiliar addresses), which is more than 10 times faster than manual monitoring; big data can analyze massive amounts of on-chain data, refine hacker attack patterns (such as common methods, target platforms), and improve the accuracy of threat intelligence;

    2. Lower the security threshold: AI can automatically generate a "security audit report summary" to help teams without a technical background understand vulnerability risks; big data can output an "industry security trend report" to enable startup teams to quickly grasp high-frequency risk points.

    Potential risks

    AI may also be exploited by hackers: For example, AI can be used to generate “real customer service voice/video” (imitating the project team), or to generate “fake project introduction videos” to trick users into authorizing their wallets through “trust disguise”; hackers can also use AI to batch generate phishing scripts, greatly improving attack efficiency. Let's discuss the security risks of Web3 Agent tools (these tools have become quite popular in recent years, and the risks are similar to those of regular Web3 tools, but with their own unique characteristics): 1. Over-authorization: Agent tools require users to grant wallet or contract operation permissions. If permissions are set too broad (such as "unlimited transfer permissions"), hackers can directly transfer user assets if the tool itself is attacked. Many users grant full permissions for convenience, which creates hidden dangers. 2. Supply chain attack risks: Agent tools rely on third-party libraries, APIs, or AI models. If these links are infected with malicious code (such as contaminated third-party libraries), the tools can become a "hacker springboard" to steal user private keys or assets. This risk is highly hidden and difficult to detect in advance. 3. Data Leakage Risk: Agent tools may collect user on-chain behavior data (such as transaction records and wallet addresses). If this data is not properly encrypted, it may be leaked or misused, threatening user privacy and asset security. When using agent tools, it is recommended to only grant "necessary permissions" (such as "single transfer permission" rather than "unlimited permissions"), choose open-source tools with a good community reputation, and regularly check the security of the tool's dependent libraries. Q11: For Web3 entrepreneurs new to the market, what is your most important security advice in one sentence or one philosophy? Wang Lei: What is your most important security advice in one sentence or one philosophy for Web3 entrepreneurs new to the market? Lisa: I'd like to borrow two core values ​​from SlowMist, which I consider to be the most critical security concepts: 1. Reverence for Power: Reverence for all technical strengths and attack risks, both on and off the chain—don't assume that "small projects won't be targeted by hackers." The Web3 industry boasts "financial transparency," and even the smallest projects can become targets. 2. Staying True to the Basics and Developing the Unconventional: "Staying True" means ensuring basic security (such as audits, multi-sig wallets, and real-time monitoring), which is the core of our defense. "Developing the Unconventional" means staying current on the latest attack methods and flexibly adjusting our protection strategies (such as responding to AI phishing and supply chain attacks). In essence, there's no "one-size-fits-all" solution for Web3 security. Only through "continuous awe and continuous learning" can we survive in this dark forest.

    Conclusion

    Wang Lei: Thank you, Lisa, for sharing your valuable insights! From analyzing attack methods to reviewing case studies, from a guide for startup teams to avoid pitfalls to analyzing industry opportunities, we clearly see that Web3 security isn't just a nice-to-have, but the very foundation of everything. A single security incident can wipe out a project, and the cost of investing in security upfront is far less than the cost of recovering afterward.