1. Introduction

This report is produced by TonBit, a sub-brand of Web3 blockchain security audit company BitsLab, and its partner TONX. With the continuous development and increasing application of blockchain technology, the TON ecosystem continues to show strong growth momentum in 2024, attracting the attention of a large number of developers, investors and users.

In 2024, the TON ecosystem will continue to make significant progress in technological innovation, application implementation, and community construction, further consolidating its position in the blockchain field. However, with the rapid development of the ecosystem, security issues have become increasingly prominent. In the face of evolving security threats, how to effectively prevent and respond has become an important issue in the TON ecosystem.

2.TON Ecosystem Overview

2.1 Introduction to TON Ecosystem

Basic Introduction and Architecture

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, which aims to build a fast, secure and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology and Telegram's communication functions, TON achieves high performance, high security and high scalability. It supports developers to build various decentralized applications and provides distributed storage solutions. Compared with traditional blockchain platforms, TON has faster processing speed and throughput, and adopts the Proof-of-Stake consensus mechanism.

2.2 Why choose TON

TON demonstrates unique advantages when competing with the strong liquidity and community of Bitcoin and Ethereum. The blockchain trilemma proposed by Vitalik Buterin describes the challenges faced by Layer 1 networks in balancing security, scalability, and efficiency. Bitcoin and Ethereum each have their own advantages and disadvantages, but TON overcomes many of these challenges through a flexible and shardable PoS architecture.

2.2.1 Flexible and shardable PoS architecture

TON uses a proof-of-stake consensus mechanism and achieves high performance and versatility through its Turing-complete smart contracts and asynchronous blockchain. TON's lightning-fast and low-cost transactions are supported by the chain's flexible and shardable architecture. This architecture allows it to scale easily without losing performance. Dynamic sharding involves the initial development of separate shards with their own purposes that can run simultaneously and prevent large-scale backlogs. TON has a block time of 5 seconds and a finalization time of less than 6 seconds.

The existing infrastructure is divided into two main parts:

● Masterchain: Responsible for processing all important and critical data of the protocol, including the address of the validator and the amount of coins verified.

● Workchain: A secondary chain connected to the main chain, containing all transaction information and various smart contracts. Each workchain can have different rules.

2.2.2 Extended Use Cases and Advantages

The TON Foundation is a DAO operated by the TON core community and provides various support to projects in the TON ecosystem, including developer support and liquidity incentive programs. In 2024, the TON community has made significant progress in multiple aspects:

● Launch of TON Connect 2.0: provides an intuitive way to connect wallets and applications, improving user experience.

● TON Verifier: A smart contract checker created by the Orbs team that improves the reliability of contracts.

● Blueprint development tool: helps developers write, test and deploy smart contracts.

● Sandbox Developer Toolkit: for a variety of use cases from enterprise to government.

● Tact language Beta version: promotes a more powerful programming environment.

● TON Society Internationalization: International centers have been launched in multiple cities around the world.

● DeFi Liquidity Incentive Program: Provide funding for projects and promote the sustainability of the TON DeFi space.

2.3 Overview of TON development direction and goals in 2024

TON’s development roadmap contains many interesting initiatives, such as a stablecoin toolkit, sharding tools, and native bridges for BTC, ETH, and BNB.

● Gas-free transactions: TON may subsidize gas fees in certain cases to attract more users.

● Separation of verification nodes and packaging nodes: This is a major upgrade of TON’s scalability, and it plans to attract 500 million Telegram users by 2028.

● Voters and configuration contract updates: Allow users to vote on network proposals.

● TON Stablecoin Toolkit: allows anyone to issue algorithmic stablecoins pegged to local fiat currencies.

● Jetton Bridge: allows users to send TON tokens to other chains.

● ETH, BNB, and BTC Bridge: Launch official bridges to introduce major cryptocurrencies to TON.

● Non-native tokens: Allow TON users to create native-like tokens.

3. Ecological development

3.1 Ecological Overview

The TON Foundation's official website displays nearly 1,000 applications, covering a wide range of fields such as decentralized finance (DeFi), games, social media, and utility applications. Through these projects, the TON Foundation demonstrates its leading position in the field of blockchain technology and promotes the development of innovation and ecosystem.

3.2 TON Ecosystem Key Indicators

As of July 27, 2024, there are 383 validator nodes on the TON chain, with a total of more than 590 million staked $TON, distributed in 29 countries. The number of daily active addresses reached 373,000, a year-on-year increase of 5360%. The DeFi ecosystem of the TON network has shown strong development momentum, with 1,784,089 unique users, a total locked value (TVL) of $706,307,873, and 26,297 liquidity providers.

3.3 How TON becomes a powerful decentralized gaming platform

3.3.1 The main reason for building a decentralized game based on TON

Developing decentralized games based on the TON blockchain offers a range of advantages to businesses and developers:

● Integration with Telegram: Provides access to over 900 million monthly active users.

● Powerful user acquisition and retention tools: including Telegram App Center and advertising tools.

● Fast and efficient blockchain: Processing over 100,000 transactions per second, keeping fees low.

● Diverse monetization opportunities: such as in-app advertising and tradable non-fungible tokens.

● Simple and accessible: Providing a complete set of tools suitable for GameFi Web3 developers and players.

4. TON Ecosystem Security Research

4.1 How to do secure development on TON

In order to ensure the security of smart contracts, we need to take a series of security measures. The following are some key security practices of the TON ecosystem:

1. Access Control

   Description: When there are some important logic or sensitive operations in the contract that need to be executed by specific authorized users, we should do a good job of access control to prevent attackers from performing sensitive operations and causing serious damage.

   practice:

   ➢ Determine which operations require permission control.

   ➢ For operations that require permissions, access can be restricted by verifying the sender of the message.

   ➢ Regularly review and update access control policies to adapt to changes in contract requirements.

   Specific proposals can be found at:

   https://github.com/ton-blockchain/TEPs/pull/180

   https://github.com/ton-blockchain/TEPs/pull/181

2. Validation message input

   Description: Lack of proper validation or filtering of external inputs in smart contracts can allow malicious users or attackers to enter malicious data, which may lead to unsafe behavior or vulnerabilities.

   practice:

   ➢ Perform strict validation and filtering on all external input, including validating data types, checking boundary conditions, and cleaning user input.

   ➢ Consider all possible input scenarios, including edge cases and unexpected input.

   ➢ Regularly audit and test input validation logic.

3. Checking Gas Usage

   Description: When processing internal messages, the sender usually needs to pay for gas usage. When processing external messages, the contract pays for gas usage. This means that you need to be careful about gas usage in external messages. You should always test your contract's gas usage to verify that everything is working as expected and to avoid vulnerabilities that could drain the contract's balance.

   practice:

   ➢ Monitor and optimize Gas usage during development.

   ➢ Use Gas limit to prevent high-cost operations.

   ➢ Regularly test the gas consumption of the contract in different scenarios.

4. Timestamp dependency

   Description: The behavior of some smart contracts depends on block timestamps, which may be manipulated by validators. For example, validators can selectively include or exclude certain transactions, or adjust timestamps to serve certain purposes. This behavior may cause the contract logic to be manipulated, posing security risks.

   practice:

   ➢ Avoid relying directly on block timestamps for key logic judgments.

   ➢ If you must use timestamps, make sure to use a more reliable and uncontrolled method.

   ➢ Use a time buffer mechanism to allow time to vary within a certain range and reduce dependence on a single time point.

   ➢ Regularly review the contract logic to ensure it is not affected by timestamp manipulation.

5. Integer Overflow

   Description: Integer overflow and underflow are operations on exponential values ​​that exceed the range of the variable representation, resulting in incorrect calculation results. Integer overflow usually occurs in operations such as addition, subtraction, and multiplication. If not controlled, it may cause serious security issues such as incorrect balance calculation or unexpected fund transfer.

   practice:

   ➢ Use a safe math library to handle integer operations.

   ➢ Add overflow checks before and after all math operations.

   ➢ Audit contract codes regularly to ensure that all integer operations are protected.

6. Rounding error

   Description: Rounding error risk refers to the error in the calculation results due to precision limitations or improper rounding methods in numerical operations. Especially when dealing with currency or high-precision numbers, rounding errors may lead to financial losses or unfair distribution.

   practice:

   ➢ Use high-precision numeric libraries or fixed-point libraries to handle monetary operations.

   ➢ Regularly test and verify numerical operation logic to ensure that the accuracy meets expectations.

   ➢ Clearly mark the rounding method in the code to ensure consistency.

7. Denial of Service

   Description: Denial of service risk refers to the consumption of computing resources of smart contracts or the triggering of error conditions, causing the contract to fail to execute normally or fall into endless operations. This may prevent legitimate users from interacting with the contract or even prevent the contract status from updating.

   practice:

   ➢ Limit the number of loops or recursion depth to avoid long-running operations.

   ➢ Check the remaining Gas before key operations to avoid transaction failures due to insufficient Gas.

   ➢ Regularly review and optimize contract logic to ensure efficiency and reliability.

   ➢ Use event logs to record important operations for easy troubleshooting and recovery.

8. Business Logic

Description: Business logic vulnerabilities refer to design flaws or implementation errors in smart contracts when implementing their business processes, causing the contract to behave abnormally in certain situations. These vulnerabilities can be exploited by malicious users, resulting in serious consequences such as loss of funds, data tampering, or failure of contract functions. Business logic vulnerabilities are usually not coding errors, but misunderstandings or imperfect implementations of business requirements and processes.

practice:

➢ Deeply understand and analyze business requirements to ensure correct logical design.

➢ Regularly conduct code audits and logic verification to promptly discover and fix vulnerabilities.

➢ Write comprehensive test cases to cover all possible business scenarios.

Through the above security practices, we can greatly improve the security of smart contracts, reduce risks, and ensure the stable operation of contracts and the safety of users' funds.

4.2 Review of TON Ecosystem Security Events

In 2024, several security incidents occurred in the TON ecosystem, revealing its security challenges. The following is a detailed description of some important incidents, analyzing the causes, impacts and solutions of the incidents, and an inventory of some typical security vulnerabilities.

1. The pledge contract of a certain protocol was attacked, resulting in a large amount of token loss

Date: May 22, 2024

Amount of loss: /

Root cause: Parameter configuration error

describe:

After a staking event to celebrate the prosperity of the TON ecosystem, a staking contract of a certain protocol was hacked due to a misconfiguration of protocol parameters, resulting in a large number of tokens being stolen from the contract. After the incident, the project immediately suspended the staking reward collection function and allocated a large amount of $USDT to repurchase the lost 307,264 tokens.

After the attack, the project quickly contacted TonBit for an audit. TonBit demonstrated its professionalism by responding quickly and mobilizing a team of security experts to conduct a comprehensive and detailed security audit of the project's core code. TonBit's security experts found 6 low-risk issues and immediately communicated in detail with the project team. With rich experience and professional technical capabilities, TonBit not only provided specific solutions to the problems, but also assisted the team in quickly completing the repair of all problems, ensuring the security and stability of the contract.

Issues related to configuration found by TonBit audit:

Solution: Modify parameter configuration

2. Hackers use wallets to display controllable comment information to mislead users

Date: May 10, 2024

Amount lost: 22,000 TON

Root cause: The comment information displayed by the wallet when conducting transactions may mislead users

describe:

Although comments can be added when processing transfers messages in Ton, the UI design of some wallets when displaying these comments has the potential risk of misleading. This design flaw is exploited by hackers. By manipulating the content of the comments of the transfers message, hackers can display false information to users during the transaction, thereby committing fraud, causing users to make mistakes and causing financial losses.

Solution:

To solve this problem, wallet applications need to add eye-catching annotations when displaying this information to remind users that this content is not credible. In addition, the wallet development team should improve the UI design to ensure the transparency and reliability of transaction information display. At the same time, users also need to improve their ability to distinguish and be wary of suspicious transaction information.

Further measures:

TonBit recommends that wallet development teams introduce a multi-layer verification mechanism when displaying transaction annotation information, such as source verification of annotation information to ensure the reliability of information. In addition, regular user education and security tips should be issued to help users identify and prevent potential fraud. By combining technical means and user education, the occurrence of such security incidents can be effectively reduced.

3. BookPad used a backdoor contract to defraud funds and then ran away with the money

Date: April 15, 2024

Amount lost: 74,424 TON

Root cause: BookPad used a backdoor contract to suck user funds and then ran away

describe:

BookPad released a backdoored and closed smart contract to start pre-sale activities. After receiving enough funds, they used the backdoor in the contract to withdraw funds and then quickly ran away with the money.

Solution:

To prevent similar incidents from happening again, users should collect as much information as possible about the project before participating in any investment activities of any project, and choose projects that are open source and have undergone strict security audits.

TonBit recommends that users pay special attention to the following points:

1. Open source of the project: Confirm that the smart contract code is open source, so that independent security experts can review it to ensure that there are no hidden vulnerabilities or malicious code.

2. Security Audit: Choose projects that have been audited by well-known security auditing organizations. Security audits can find and fix potential vulnerabilities in contracts, providing additional protection.

3. Project background investigation: Investigate the background of the project owner, the reputation and historical records of the team members. Project owners with high transparency and good reputation are more trustworthy.

4. Community feedback: Pay attention to the community’s feedback on the project, participate in discussions, and understand the project’s reputation and potential risks.

Further measures:

TonBit suggests introducing a stricter supervision and audit mechanism in the TON ecosystem to conduct qualification audits on new projects to ensure that they meet security standards. In addition, a public contract code base can be set up, and only audited contracts can be used. This will greatly reduce the risk of user funds being stolen and improve the security and credibility of the entire TON ecosystem.

5 How Users Can Stay Safe on TON and Telegram

As the TON and Telegram ecosystem has grown rapidly, with more than 38 million active accounts today, the attention that comes with it also brings greater risks.

Scammers and malicious actors are targeting the influx of new users, and even in the safest ecosystems, it’s still crucial to stay vigilant and aware of potential risks. Here are the most common scams you need to watch out for.

5.1 Common fraud methods

1. Friends in need of help: Scammers may pose as friends or family members and urgently request funds. Always verify their identity.

2. Phishing: Fake websites that mimic real websites and steal login information. Check the URL and avoid clicking on unknown links.

3. Investment scams: These scams are very common in the cryptocurrency space, promising high returns but with no proof. Research thoroughly; if it sounds too good to be true, it probably is.

4. Fake surveys: Offer rewards for participating in surveys to steal personal information. Avoid providing details to unknown surveyors.

5. Fake job opportunities: Attractive job ads that require personal information, app downloads, or payment. Verify through official channels.

6. Classifieds scam: Fake ads direct you to fake Telegram bots to steal information.

7. Pump and Dump: Groups manipulate cryptocurrency prices to profit, causing others to lose money. Always research and verify investment advice.

8. Romance scams: Online relationships in which the scammer asks for money or personal information. Be wary of requests for money from people you meet online.

5.2 Beware of the Toncoin pyramid scam

Telegram’s support for the TON blockchain has unfortunately attracted scammers who have sought to take advantage of unsuspecting users. Here’s a detailed breakdown of the scam:

1. The setup: Scammers send links to an "exclusive money-making scheme" that appear to come from a friend or contact. They direct users to join an unofficial Telegram bot that they claim is for storing cryptocurrency.

2. Investment: Users are instructed to purchase Toncoin through legitimate channels such as wallets, P2P marketplaces, or cryptocurrency exchanges. This adds false credibility. Once purchased, users must transfer their Toncoin to the scam bot.

3. Accelerators: Victims are forced to purchase “accelerators” through a separate bot for a fee between 5 and 500 Toncoin. During this phase, users lose their cryptocurrency.

4. Recruitment: The scammers promoted a referral program, asking users to create a private Telegram group and invite friends. They promised a fixed payment of 25 TON for each referral and a commission based on the accelerators purchased by the referral.

In fact, this is a typical pyramid scheme. The scammers make money while others lose their investment capital.

5.3 How to avoid online fraud

To protect yourself from online scams and keep your Telegram account secure, follow these basic steps:

1. Enable two-step verification for Telegram: Go to Settings > Privacy and security > Two-step verification to add an extra layer of security to your account.

2. Verify contacts: Be wary of unsolicited messages, especially those requesting personal information or funds. Confirm the sender’s identity by other means.

3. Check your Telegram account activity regularly: Go to Settings > Devices > Active sessions to check if there are any unknown devices or sessions on your account.

4. Report suspicious activity: If you come across a scam, report it to Telegram.

5. Avoid get-rich-quick schemes: Be wary of these schemes, even if they are recommended by a friend or family member, they may also be a victim.

6. Do not transfer cryptocurrencies to unknown wallets: Before transferring cryptocurrencies, always verify the identity of the recipient to avoid being scammed.

Staying safe with TON and Telegram requires vigilance and awareness. By recognizing common scams and following these safety tips, you can protect your assets and personal information. Always verify sources, be skeptical of offers that seem too good to be true, and only transact through official channels. Stay informed and cautious, and you’ll be able to enjoy the benefits of TON and Telegram without falling victim to a scam!

6. Summary

The reason to choose TON is to recognize the ecosystem of Telegram itself. Deploying your Web3 project on TON can take advantage of Telegram's huge user base, with more than 700 million monthly active users. This integration provides a fertile environment for decentralized applications to thrive. TonBit is committed to providing comprehensive security for the TON ecosystem, helping projects achieve higher security standards and user trust. As the security guardian of the TON ecosystem, TonBit will continue to work hard to contribute to the development of blockchain technology.