This report focuses on four major directions: Move, TON, Bitcoin expansion, and Cosmos application chains. It provides a detailed interpretation from three aspects: technological innovation, security challenges, and historical security events, offering insights and considerations for investors, developers, and white-hat hackers:
Move Ecosystem (Aptos, Sui, etc.)
The report introduces how the Move language innovates smart contract programming in resource management, modular design, and built-in security mechanisms, and provides an in-depth analysis of the innovations and security architecture of Aptos and Sui.
The Move language was originally developed by Facebook (now Meta) for the Diem (Libra) project, aiming to address the performance and security bottlenecks of traditional smart contract languages. The design of Move emphasizes the clarity and security of resources, ensuring the controllability of every state change on the blockchain. This innovative programming language has the following significant advantages:
Resource Management Model: Move treats assets as resources, making them non-replicable or destructible. This unique resource management model avoids common issues in smart contracts, such as double spending or accidental asset destruction.
Modular Design: Move allows smart contracts to be constructed in a modular way, improving code reusability and reducing development complexity.
High Security: Move has a large number of built-in security checks at the language level to prevent common security vulnerabilities, such as reentrancy attacks.
Additionally, the report reviews typical security incidents that occurred with the Move virtual machine and Aptos network from 2023 to the end of 2024, reminding the community to be vigilant about potential infinite recursion DoS vulnerabilities, memory pool eviction mechanism flaws, and other issues.
For a detailed review of Move ecosystem security incidents, please download the report for reading
TON Ecosystem
TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aimed at building a fast, secure, and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology with Telegram's communication features, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared to traditional blockchain platforms, TON offers faster processing speeds and throughput, utilizing a Proof-of-Stake consensus mechanism.
TON employs a Proof-of-Stake consensus mechanism and achieves high performance and multifunctionality through its Turing-complete smart contracts and asynchronous blockchain. The lightning-fast and low-cost transactions of TON are supported by the chain's flexible and sharded architecture. This architecture allows for easy scaling without sacrificing performance. Dynamic sharding involves initially developed separate shards with their own purposes, which can run simultaneously and prevent large-scale congestion. The block time for TON is 5 seconds, with a finalization time of less than 6 seconds.
The existing infrastructure is divided into two main parts:
● Masterchain: Responsible for processing all important and critical data of the protocol, including the addresses of validators and the amount of coins validated.
● Workchain: Secondary chains connected to the masterchain, containing all transaction information and various smart contracts, with each workchain potentially having different rules.
The TON Foundation is a DAO operated by the core TON community, providing various support for projects within the TON ecosystem, including developer support and liquidity incentive programs. The report details the significant progress made by the TON community in multiple areas in 2024, while also revealing a recent vulnerability where malicious contracts can lead to resource exhaustion in the virtual machine through nested structures, warning all parties to continuously strengthen contract security audits.
For more detailed content on the TON ecosystem, please download the report for viewing
Bitcoin Expansion Ecosystem
Layer 2 and sidechain solutions, including the Lightning Network, Liquid Network, Rootstock (RSK), B² Network, and Stacks, are driving breakthroughs in Bitcoin's transaction scalability and programmability. The Lightning Network enhances transaction efficiency, Liquid Network accelerates inter-institutional transactions, while Rootstock combines security with smart contracts to expand the dApp ecosystem. Additionally, B² Network and Stacks further deepen Bitcoin's functionality and application scenarios.
The Lightning Network is one of the most mature and widely used Layer 2 solutions for Bitcoin. It significantly increases Bitcoin's transaction speed and reduces fees by establishing payment channels that move a large number of small transactions off the main chain.
Image source: https://lightning.network/lightning-network-presentation-time-2015-07-06.pdf
The Liquid Network is a sidechain running on the open-source Elements blockchain platform, designed for faster transactions between exchanges and institutions. It is governed by a distributed alliance composed of Bitcoin companies, exchanges, and other stakeholders. Liquid uses a two-way peg mechanism to convert BTC to L-BTC and vice versa.
Image source: https://docs.liquid.net/docs/technical-overview
Rootstock has been the longest-running Bitcoin sidechain since its inception in 2015, launching its mainnet in 2018. Its uniqueness lies in combining Bitcoin's Proof-of-Work (PoW) security with Ethereum's smart contracts. As an open-source, EVM-compatible Bitcoin Layer 2 solution, Rootstock provides an entry point for the growing dApp ecosystem and aims for complete trustlessness.
The B² Network's technical architecture includes a two-layer structure: Rollup layer and Data Availability (DA) layer. B² Network aims to redefine user perceptions of Bitcoin's second-layer solutions.
Since its launch on the mainnet in 2018 under the name Blockstack, Stacks has become a leading Bitcoin Layer 2 solution. Stacks connects directly to Bitcoin, allowing for the building of smart contracts, dApps, and NFTs on Bitcoin, significantly expanding Bitcoin's functionality beyond just a value storage tool. It employs a unique Proof-of-Transfer (PoX) consensus mechanism that ties its security directly to Bitcoin without modifying Bitcoin itself.
Image source: https://docs.stacks.co/stacks-101/proof-of-transfer
Babylon's vision is to extend Bitcoin's security to protect the decentralized world. By leveraging three aspects of Bitcoin — its timestamp service, block space, and asset value — Babylon can transfer Bitcoin's security to numerous Proof-of-Stake (PoS) chains, creating a more robust and unified ecosystem.
While these technologies bring more possibilities to the Bitcoin ecosystem, they also face challenges such as the "substitute loop attack" on the Lightning Network, UTXO calculation errors, and risks associated with PoW rollback mechanisms.
Read the full report for more detailed content on the Bitcoin ecosystem
Cosmos Application Chain Ecosystem
With Tendermint consensus, Cosmos SDK, and IBC cross-chain communication at its core, there are several technological innovations in the design concept of the blockchain internet.
The architecture of Cosmos adopts a Hub and Zone model, where the Hub serves as the core node for cross-chain connections, coordinating multiple Zones (independent blockchains). The innovation of this architecture lies in:
Decentralized Management: Each Zone is an independent, autonomous blockchain that does not rely on a single centralized management node.
Efficient Cross-Chain Connectivity: Through the Hub, seamless cross-chain communication and asset flow can occur between Zones, achieving true interoperability.
The report deeply analyzes potential security risks in the Cosmos application chain, from multi-module invocation sequences to cross-chain message passing, and combines the security controversies and governance process issues of the Liquid Staking Module (LSM) to provide warnings and insights for more application chain projects.
Read the full report for more detailed content on the Cosmos application chain ecosystem
Years of Vulnerability Research Findings
The report details the nine major types of security vulnerabilities commonly found in the blockchain industry. These vulnerabilities span different technical layers and involve core components of multiple blockchain ecosystems, covering various aspects from cross-chain communication to economic model design.
1. L2/L1 Cross-Chain Communication Vulnerabilities: Cross-chain communication is an important means to enhance the interoperability of blockchain ecosystems, but there are many security risks in its implementation. For example, L2 may not consider L1 block rollbacks, on-chain event forgery, and whether transactions sent to L1 are successful.
2. Cosmos Application Chain Vulnerabilities: As an ecosystem centered on blockchain interoperability, Cosmos allows different blockchains to connect through IBC (Inter-Blockchain Communication protocol). However, there may be some vulnerabilities and security risks in the implementation of Cosmos application chains, such as BeginBlocker and EndBlocker crash vulnerabilities, incorrect use of local time, incorrect use of random numbers, and other vulnerabilities and security risks.
3. Bitcoin Expansion Ecosystem Vulnerabilities: Including Bitcoin script construction vulnerabilities, vulnerabilities caused by unconsidered derivative assets, UTXO amount calculation errors, etc.
4. Common Programming Language Vulnerabilities (such as infinite loops, infinite recursion, integer overflow, race conditions, etc.)
5. P2P Network Vulnerabilities: P2P (peer-to-peer) networks are used for direct connections and communication between distributed nodes in blockchain systems. Although P2P networks provide the network foundation for decentralized systems, they also face a series of common vulnerability types, such as asymmetric attack vulnerabilities, lack of trust model mechanisms, and lack of node count limitation mechanisms.
6. DoS Attacks: Including memory exhaustion attacks, disk exhaustion attacks, kernel handle exhaustion attacks, persistent memory leaks, etc.
7. Cryptographic Vulnerabilities: Cryptographic vulnerabilities can compromise the confidentiality and integrity of data, posing potential security threats to the system. Major types of cryptographic vulnerabilities include using hash algorithms that have been proven to be insecure, using unsafe custom hash algorithms, and hash collisions caused by unsafe usage.
8. Ledger Security Vulnerabilities: (such as transaction memory pool vulnerabilities, block hash collision vulnerabilities, orphan block processing logic vulnerabilities, Merkle tree hash collision vulnerabilities, etc.)
9. Economic Model Vulnerabilities: Economic models play a crucial role in blockchain and distributed systems, affecting the network's incentive mechanisms, governance structures, and overall sustainability. The economic model vulnerabilities listed in the report require special attention.
Read the full report to understand the detailed content on types of security vulnerabilities
Common Attack Surface List
The report also lists 13 common attack surfaces, each of which could become a breakthrough point for hacker attacks, warranting extra attention from developers and project teams:
Virtual Machine
P2P Node Discovery and Data Synchronization Module
Block Parsing Module
Transaction Parsing Module
Consensus Protocol Module
6. “For other attack surfaces, please refer to the report”
…
Best Practices for Secure Development
Through rich case reviews and offensive and defensive practices, the report distills a systematic approach to security response.
In terms of security protection, this report provides detailed recommendations on best practices for chain development, covering aspects such as block and transaction processing, smart contract virtual machines, logging systems and RPC interface, P2P protocol design to prevent DoS attacks, encryption and authentication at the transport layer, fuzzing and static code analysis, and third-party security audit processes, aiming to provide clear and feasible security guidance for the entire lifecycle of blockchain projects.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
