1. Preface

This report is jointly produced by TonBit, a subsidiary of Web3 blockchain security audit company BitsLab, and its partner TONX. With the continuous development of blockchain technology and its increasingly wide application, the TON ecosystem continued to show strong growth momentum in 2024, attracting the attention of a large number of developers, investors, and users.

In 2024, the TON ecosystem made significant progress in technological innovation, application landing, and community construction, further consolidating its position in the blockchain field. However, as the ecosystem rapidly develops, security issues are also becoming increasingly prominent. In the face of evolving security threats, effective prevention and response have become important topics for the TON ecosystem.

2. Overview of the TON Ecosystem

2.1 Introduction to the TON Ecosystem

Basic Introduction and Architecture

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aiming to build a fast, secure, and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology and Telegram's communication functionality, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared to traditional blockchain platforms, TON has faster processing speed and throughput and adopts a Proof-of-Stake consensus mechanism.

2.2 Why Choose TON

When competing with the strong liquidity and community of Bitcoin and Ethereum, TON demonstrates unique advantages. The blockchain trilemma proposed by Vitalik Buterin describes the challenges faced by Layer 1 networks in balancing security, scalability, and efficiency. While Bitcoin and Ethereum each have their own advantages and disadvantages, TON overcomes many of these challenges through its flexible and sharded PoS architecture.

2.2.1 Flexible and Sharded PoS Architecture

TON adopts a Proof-of-Stake consensus mechanism and achieves high performance and versatility through its Turing-complete smart contracts and asynchronous blockchain. TON's lightning-fast and low-cost transactions are supported by the chain's flexible and sharded architecture. This architecture allows for easy scalability without sacrificing performance. Dynamic sharding involves initially developed separate shards with their own purposes, which can run simultaneously and prevent large-scale congestion. TON's block time is 5 seconds, with a final confirmation time of less than 6 seconds.

The existing infrastructure is divided into two main parts:

• Masterchain: Responsible for handling all important and critical data of the protocol, including validator addresses and validated coin amounts.

• Workchain: Secondary chains connected to the masterchain, containing all transaction information and various smart contracts, with each workchain able to have different rules.

2.2.2 Use Case Expansion and Advantages

The TON Foundation, operated by the TON core community, provides various support for projects in the TON ecosystem, including developer support and liquidity incentive programs. In 2024, the TON community made significant progress in several areas:

• Launch of TON Connect 2.0: Providing an intuitive way to connect wallets and applications, improving user experience.

• TON Verifier: An intelligent contract checker created by the Orbs team, enhancing contract reliability.

• Blueprint Development Tool: Assisting developers in writing, testing, and deploying smart contracts.

• Sandbox Developer Toolkit: Applicable to various use cases from enterprises to governments.

• Tact Language Beta Version: Promoting a more powerful programming environment.

• Internationalization of TON Society: Launching international centers in multiple cities worldwide.

• DeFi Liquidity Incentive Program: Providing funding for projects, promoting sustainability in the TON DeFi field.

2.3 Overview of TON's Development Direction and Goals in 2024

TON's development roadmap includes many interesting plans, such as stablecoin toolkits, sharding tools, and native bridges for BTC, ETH, and BNB.

• Gas-Free Transactions: TON may subsidize gas fees in certain cases to attract more users.

• Separation of Validation Nodes and Packing Nodes: This is a major upgrade for TON's scalability, with plans to onboard 500 million Telegram users by 2028.

• Elector and Configuration Contract Updates: Allowing users to vote on network proposals.

• TON Stablecoin Toolkit: Allowing anyone to issue algorithmic stablecoins pegged to local fiat currencies.

• Jetton Bridge: Allowing users to send TON tokens to other chains.

• ETH, BNB, and BTC Bridges: Introducing official bridges to bring major cryptocurrencies into TON.

• Non-Native Tokens: Allowing TON users to create tokens similar to native ones.

3. Ecosystem Development Status

3.1 Ecosystem Overview

The TON Foundation's official website showcases nearly 1000 applications covering a wide range of areas such as decentralized finance (DeFi), gaming, social media, and utility applications. Through these projects, the TON Foundation demonstrates its leading position in the blockchain technology field and drives innovation and ecosystem development.

3.2 Key Metrics of the TON Ecosystem

As of July 27, 2024, the number of validation nodes on the TON chain is 383, with a total staked TON amount of over 590 million, distributed across 29 countries. The daily active address count has reached 373,000, showing a 5360% year-on-year increase. The DeFi ecosystem of the TON network demonstrates strong growth momentum, with 1,784,089 independent users, a total value locked (TVL) of $706,307,873, and 26,297 liquidity providers.

3.3 How TON Becomes a Powerful Decentralized Gaming Platform

3.3.1 Reasons for Building Decentralized Games Based on TON

Developing decentralized games based on the TON blockchain provides a range of advantages for enterprises and developers:

• Integration with Telegram: Providing access to over 900 million monthly active users.

• Powerful user acquisition and retention tools: Including the Telegram app center and advertising tools.

• Fast and efficient blockchain: Processing over 100,000 transactions per second while maintaining low fees.

• Diverse monetization opportunities: Such as in-app advertising and tradable non-fungible tokens.

• Simple and accessible: Providing a full set of tools suitable for GameFi Web3 developers and players.

4. TON Ecosystem Security Research

4.1 How to Develop Securely on TON

To ensure the security of smart contracts, a series of security measures need to be taken. Here are some key security practices in the TON ecosystem:

1. Access Control

   Description: When there are important logic or sensitive operations in the contract that require specific authorized users to execute, access control should be implemented to prevent attackers from executing sensitive operations, which could cause serious damage.

   Practices:

   ➢ Identify which operations require permission control.

   ➢ Restrict access to operations requiring permission by validating the sender of the message.

   ➢ Regularly review and update access control policies to adapt to changes in contract requirements.

   Specific proposals can be found at:

   https://github.com/ton-blockchain/TEPs/pull/180

   https://github.com/ton-blockchain/TEPs/pull/181

2. Validate Message Inputs

   Description: Lack of proper validation or filtering of external inputs in smart contracts can lead to malicious users or attackers inputting malicious data, potentially resulting in unsafe behavior or vulnerabilities.

   Practices:

   ➢ Strictly validate and filter all external inputs, including data type validation, boundary checks, and sanitizing user input.

   ➢ Consider all possible input scenarios, including edge cases and unexpected inputs.

   ➢ Regularly audit and test input validation logic.

3. Check Gas Usage

   Description: When processing internal messages, the sender usually needs to pay gas fees. When processing external messages, the contract pays for gas usage. This means that caution is needed with gas usage in external messages. Always test the contract's gas usage to verify that everything runs as expected and to avoid vulnerabilities that could deplete the contract balance.

   Practices:

   ➢ Monitor and optimize gas usage during development.

   ➢ Use gas limits to prevent high consumption operations.

   ➢ Regularly test the contract's gas consumption in different scenarios.

4. Timestamp Dependency

   Description: Some smart contracts' behavior depends on block timestamps, which can be manipulated by validators. For example, validators can selectively include or exclude certain transactions, or adjust timestamps to serve certain purposes. This behavior can manipulate contract logic and pose security risks.

   Practices:

   ➢ Avoid directly relying on block timestamps for critical logic decisions.

   ➢ If timestamps must be used, ensure the use of more reliable and uncontrollable methods.

   ➢ Implement a time buffer mechanism to allow for some variation in time, reducing reliance on a single time point.

   ➢ Regularly review contract logic to ensure it is not vulnerable to timestamp manipulation.

5. Integer Overflow

   Description: Integer overflow and underflow are arithmetic operations that exceed the variable's representation range, resulting in incorrect calculations. Integer overflow typically occurs in addition, subtraction, multiplication, and other operations. If not controlled, it can lead to serious security issues, such as incorrect balance calculations or unexpected fund transfers.

   Practices:

   ➢ Use secure math libraries to handle integer operations.

   ➢ Add overflow checks before and after all mathematical operations.

   ➢ Regularly audit contract code to ensure all integer operations are protected.

6. Rounding Errors

   Description: Rounding error risk refers to calculation errors due to precision limitations or improper rounding methods in numerical operations. Especially when dealing with currency or high-precision values, rounding errors can lead to fund losses or unfair distribution.

   Practices:

   ➢ Use high-precision numerical libraries or fixed-point libraries to handle currency operations.

   ➢ Regularly test and verify numerical operation logic to ensure precision meets expectations.

   ➢ Clearly label rounding methods in the code to ensure consistency.

7. Denial of Service

   Description: Denial of service risk refers to consuming smart contract computational resources or triggering error conditions, causing the contract to fail to execute normally or enter into endless operations. This may prevent legitimate users from interacting with the contract and even hinder contract state updates.

   Practices:

   ➢ Limit loop iterations or recursion depth to avoid long-running operations.

   ➢ Check remaining gas before critical operations to avoid transaction failures due to insufficient gas.

   ➢ Regularly review and optimize contract logic to ensure efficiency and reliability.

   ➢ Use event logging to record important operations for troubleshooting and recovery.

8. Business Logic

   Description: Business logic vulnerabilities refer to design flaws or implementation errors in smart contracts when implementing their business processes, leading to abnormal behavior under certain circumstances. These vulnerabilities may be exploited by malicious users, resulting in fund losses, data tampering, or contract malfunctions. Business logic vulnerabilities are typically not coding errors but misunderstandings or imperfect implementations of business requirements and processes.

   Practices:

   ➢ Thoroughly understand and analyze business requirements to ensure correct logic design.

   ➢ Regularly conduct code audits and logic validation to promptly discover and fix vulnerabilities.

   ➢ Write comprehensive test cases covering all possible business scenarios.

By implementing the above security practices, we can significantly enhance the security of smart contracts, reduce risks, and ensure the stable operation of contracts and the safety of user funds.

4.2 Review of Security Incidents in the TON Ecosystem

In 2024, the TON ecosystem experienced several security incidents, revealing its security challenges. The following are detailed descriptions of some important events, analysis of the causes, impacts, and their solutions, as well as an inventory of typical security vulnerabilities.

1.A protocol's staking contract was attacked, resulting in a significant loss of tokens

Date: May 22, 2024

Loss Amount: /

Root Cause: Parameter configuration error

Description:

Following a staking event celebrating the prosperity of the TON ecosystem, a protocol's staking contract was attacked due to a parameter configuration error, resulting in a large amount of tokens being stolen from the contract. After the attack, the project team immediately suspended the staking reward claiming function and allocated a large amount of $USDT for repurchasing the lost 307,264 tokens.

After the attack, the project team quickly contacted TonBit for an audit. TonBit demonstrated its professionalism, quickly responded, and mobilized a team of security experts to conduct a comprehensive and detailed security audit of the project's core code. TonBit's security experts identified 6 low-risk issues and immediately communicated in detail with the project team. With their extensive experience and professional technical capabilities, TonBit not only provided specific solutions to the issues but also assisted the team in promptly fixing all the issues, ensuring the security and stability of the contract.

Issues related to configuration discovered in TonBit's audit:

Solution: Modify parameter configuration

2. Hacker Misleads Users with Controllable Comment Information in Wallet

Date: May 10, 2024

Loss Amount: 22,000 TON

Root Cause: Potential misleading of users by comment information displayed when conducting transactions in the wallet

Description:

When processing transfers in Ton, although comments can be added, some wallets have a potential misleading risk in the UI design when displaying these comments. This design flaw was exploited by hackers, allowing them to manipulate the comments in transfers messages to display false information to users during transactions, leading to fraudulent behavior and causing users to make mistakes, resulting in financial losses.

Solution:

To address this issue, wallet applications need to add prominent notices when displaying this information to remind users that these contents are not trustworthy. Additionally, wallet development teams should improve UI design to ensure transparency and reliability in displaying transaction information. Users also need to enhance their discernment and be cautious of suspicious transaction information.

Further Measures:

TonBit suggests that wallet development teams introduce multi-layer verification mechanisms when displaying transaction comment information, such as source verification of the comments to ensure the reliability of the information. Additionally, regular user education and security tips should be provided to help users identify and prevent potential fraudulent activities. By combining technical means and user education, the occurrence of such security incidents can be effectively reduced.

3. BookPad Scams Funds with Backdoored Contract and Runs Away

Date: April 15, 2024

Loss Amount: 74,424 TON

Root Cause: BookPad uses a backdoored contract to siphon user funds and then absconds

Description:

BookPad released a non-open-source smart contract with a backdoor and began a presale activity. After receiving sufficient funds, they used the backdoor in the contract to withdraw the funds and then quickly ran away.

Solution:

To prevent similar events from happening again, users should gather as much information as possible about the project before participating in any investment activities, choosing projects that are open-source and have undergone rigorous security audits.

TonBit recommends that users pay special attention to the following points:

1. Open Source Nature of the Project: Confirm that the smart contract code is open-source, allowing independent security experts to review it to ensure there are no hidden vulnerabilities or malicious code.

2. Security Audit: Choose projects audited by reputable security audit firms. Security audits can discover and fix potential vulnerabilities in the contract, providing additional assurance.

3. Project Background Investigation: Investigate the background of the project team, the reputation of team members, and their historical records. Projects with high transparency and good reputation are more trustworthy.

4. Community Feedback: Pay attention to the community's feedback on the project, participate in discussions, and understand the project's reputation and potential risks.

Further Measures:

TonBit suggests introducing stricter supervision and review mechanisms in the TON ecosystem for new projects, conducting qualification audits to ensure they meet security standards. Additionally, establishing a public contract code repository where only audited contracts can be used will significantly reduce the risk of user funds being stolen and enhance the security and credibility of the entire TON ecosystem.

5. How to Stay Safe on TON and Telegram

With the rapid growth of the TON and Telegram ecosystems, which now have over 38 million active accounts, increased attention has also brought greater risks.

Scammers and malicious actors target new users flooding into the ecosystem, and even in the most secure ecosystems, it is crucial to remain vigilant and aware of potential risks. Here are some of the most common scams you need to be extra cautious about.

5.1 Common Scam Methods

1. Urgent Help from a Friend: Scammers impersonate friends or family members and urgently request funds. Always verify their identity.
2. Phishing Websites: Fake websites mimic real ones to steal login information. Verify the URL and avoid clicking on unknown links.
3. Investment Scams: Common in the cryptocurrency field, promising high returns without proof. Research thoroughly; if it sounds too good to be true, it probably is a scam.
4. Fake Surveys: Offer rewards for participating in surveys to steal personal information. Avoid providing detailed information to unknown surveyors.
5. Fake Job Opportunities: Attractive job ads requiring personal information, app downloads, or fees. Verify through official channels.
6. Classified Ad Scams: Fake ads lead you to fake Telegram bots to steal information.
7. Pump and Dump Schemes: Groups manipulate cryptocurrency prices for profit, causing losses to others. Always research and verify investment advice.
8. Romance Scams: In online relationships, scammers request money or personal information. Be cautious of requests for money from people you meet online.

5.2 Beware of Toncoin Pyramid Schemes

Unfortunately, Telegram's support for the TON blockchain has attracted some scammers who attempt to take advantage of unsuspecting users. Here is a detailed analysis of this scam:

1. Setup: Scammers send links to an "exclusive money-making plan," seemingly from friends or contacts. They guide users to join an unofficial Telegram bot, claiming it is for storing cryptocurrencies.
2. Investment: Users are instructed to purchase Toncoin through legitimate channels (such as wallets, P2P markets, or cryptocurrency exchanges). This adds false credibility. Once purchased, users are required to transfer their Toncoin to the scam bot.
3. Accelerator: Victims are forced to purchase an "accelerator" through a separate bot, with fees ranging from 5 to 500 Toncoin. At this stage, users lose their cryptocurrency.
4. Recruitment: Scammers promote a referral program, requiring users to create a private Telegram group and invite friends. They promise a fixed payment of 25 TON for each referral and commissions based on the accelerators purchased by the referrer.

In reality, this is a typical pyramid scheme. Scammers make money, while others lose their investment.

5.3 How to Avoid Online Scams

To protect yourself from online scams and ensure the security of your Telegram account, follow these basic steps:

1. Enable Two-Step Verification on Telegram: Go to "Settings > Privacy and Security > Two-Step Verification" to add extra security to your account.
2. Verify Contacts: Be cautious of unsolicited messages, especially those requesting personal information or funds. Confirm the sender's identity through other means.
3. Regularly Check Telegram Account Activity: Go to "Settings > Devices > Active Sessions" to check for unknown devices or sessions in your account.
4. Report Suspicious Activity: If you encounter fraudulent behavior, report it to Telegram.
5. Avoid Get-Rich-Quick Schemes: Be cautious of these schemes, even if recommended by friends or family; they may also be victims.
6. Do Not Transfer Cryptocurrency to Unknown Wallets: Always verify the recipient's identity before transferring cryptocurrency to avoid being scammed.

Staying safe on TON and Telegram requires vigilance and awareness. By identifying common scam methods and following these security tips, you can protect your assets and personal information. Always verify the source, remain skeptical of offers that sound too good to be true, and only conduct transactions through official channels. Stay informed and cautious, and you can enjoy the benefits of TON and Telegram without falling victim to fraud!

6. Conclusion

The reason for choosing TON lies in recognizing the ecosystem of Telegram itself. Deploying your Web3 project on TON can leverage the massive user base of Telegram, with over 700 million monthly active users. This integration provides a fertile environment for the prosperity of decentralized applications. TonBit is committed to providing comprehensive security for the TON ecosystem, helping projects achieve higher security standards and user trust. As the guardian of security in the TON ecosystem, TonBit will continue to work hard to contribute to the development of blockchain technology.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。