With the rapid development of blockchain technology, various ecosystems are emerging, among which the TON (The Open Network) ecosystem created by Telegram, with its unique architecture and powerful features, has gradually become the focus of the industry. Another important reason is Telegram's massive user base, which has over 700 million active users, providing a vast user base for the promotion and application of TON. In 2024, the TON ecosystem made significant progress in technological innovation, application expansion, and security protection. This article will comprehensively analyze the basic architecture of the TON ecosystem, its flexible proof-of-stake mechanism, expansion use cases and advantages, as well as major recent security incidents and their responses, aiming to present a comprehensive and in-depth picture of the TON ecosystem to readers.

Basic introduction and architecture of TON

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aimed at building a fast, secure, and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology with Telegram's communication features, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared with traditional blockchain platforms, TON has faster processing speeds and throughput and adopts a Proof-of-Stake consensus mechanism.

Flexible and sharded PoS architecture

TON adopts a proof-of-stake consensus mechanism and achieves high performance and multifunctionality through its Turing-complete smart contracts and asynchronous blockchain. The lightning-fast and low-cost transactions of TON are supported by its flexible and sharded architecture. This architecture allows for easy scalability without sacrificing performance. Dynamic sharding involves separately developed shards with their own purposes, which can run simultaneously and prevent large-scale congestion. TON's block time is 5 seconds, and finalization time is less than 6 seconds.

Existing infrastructure is divided into two main parts:

● Masterchain: responsible for processing all important and critical data of the protocol, including the addresses of validators and the amount of coins validated.

● Workchain: A secondary chain connected to the master chain, containing all transaction information and various smart contracts, with each workchain having different rules.

This layered architecture not only enhances the efficiency of the network but also provides a solid foundation for future expansion.

Expansion use cases and advantages

With a robust technical architecture in place, the TON ecosystem made significant progress in multiple areas in 2024. The TON Foundation, operating as a decentralized autonomous organization (DAO) run by the TON core community, provides comprehensive support for various projects in the ecosystem, including developer support and liquidity incentive programs. Specifically, the TON community has performed exceptionally in the following areas:

● Launch of TON Connect 2.0: provides an intuitive way to connect wallets and applications, improving user experience.

● TON Verifier: a smart contract checker created by the Orbs team that enhances the reliability of contracts.

● Blueprint developer tool: helps developers write, test, and deploy smart contracts.

● Sandbox developer toolkit: suitable for various use cases from enterprises to governments.

● Tact, Func, and other newly supported languages: promoting a more robust programming environment.

● Developer support: The TON Foundation, in collaboration with DoraHacks, launched a three-month online hackathon.

● TON Hubs Internationalization: International centers launched in multiple cities around the world.

● DeFi liquidity incentive program: providing funding for projects to promote the sustainability of the TON DeFi sector.

These measures not only promote the prosperity of the ecosystem but also create a richer and safer environment for developers and users.

Security incidents in the TON ecosystem

Although the TON ecosystem has made significant progress in technology and applications, security issues remain an important aspect that cannot be ignored.

Recently, the official TON team formally thanked the TonBit team under BitsLab for their discovery of a critical vulnerability in the TON virtual machine in their latest version update notes. If maliciously exploited, this vulnerability could lead to resource exhaustion of the virtual machine, system crashes, and subsequently affect the stability of the entire TON network. The TonBit team, with its strong technical capabilities, quickly identified the issue and proposed effective solutions, building a safer operating environment for the TON virtual machine, further enhancing the overall stability of the TON ecosystem.

The root cause of this vulnerability lies in the design risks of nested operations in the TON virtual machine when handling contract continuations. Malicious contracts can create deeply nested continuation structures that trigger recursive evaluation processes, thereby exhausting the host stack space of the virtual machine. This resource exhaustion attack could lead to abnormal crashes of the TON virtual machine, simply put, a single TON can cause all Validators to go down, directly impacting system availability.

After in-depth analysis, the TonBit team proposed an innovative solution in collaboration with Ton Core, which can adjust the internal jump mechanism of the virtual machine to replace recursive calls with iterative methods, effectively preventing such attacks. This solution has been applied in the latest version of TON, providing users with a safer and more stable operational experience.

In response to this major security incident, the TON team has deeply understood the importance of continuously strengthening security protection. To ensure the long-term stability and security of the ecosystem, the team not only promptly fixed the vulnerabilities but also actively summarized experiences and developed more comprehensive security strategies. Based on this, the following will explore how the TON ecosystem can further enhance security in the future, ensuring that it effectively addresses potential security challenges while rapidly developing.

Moreover, on May 22, 2024, after a staking event celebrating the prosperity of the TON ecosystem, a hacker attack occurred on a protocol's staking contract due to misconfiguration of protocol parameters, resulting in a large amount of tokens being stolen from the contract. After the incident, the project party immediately suspended the staking rewards claiming function and allocated a large amount of $USDT to repurchase the lost 307,264 tokens.

After the attack occurred, the project party quickly contacted TonBit for an audit. TonBit demonstrated its professionalism, responding swiftly and mobilizing a team of security experts to conduct a comprehensive and detailed security audit of the project's core code. TonBit's security experts identified six low-risk issues and immediately communicated in detail with the project team. With rich experience and professional technical capabilities, TonBit not only provided specific solutions for the issues but also assisted the team in quickly resolving all problems, ensuring the security and stability of the contract.

Additionally, on May 10, 2024, the TonBit team under BitsLab discovered that while it was possible to add annotations (comments) when processing transfers messages in TON, certain wallets had potential misleading risks in their UI design when displaying these annotations. This design flaw was exploited by hackers, who manipulated the content of the transfers message annotations to display false information to users during the transaction process, leading to fraudulent activities and causing users to make erroneous operations, resulting in financial losses.

To address this issue, TonBit suggests that wallet applications need to add prominent annotations when displaying this information, reminding users that the content is not trustworthy. Additionally, the wallet development team should improve UI design to ensure the transparency and reliability of transaction information. At the same time, users also need to enhance their discernment and remain vigilant against suspicious transaction information.

TonBit recommends that the wallet development team introduce a multi-layer verification mechanism when displaying transaction annotation information, such as verifying the source of the annotation information to ensure its reliability. In addition, regular user education and security alerts should be published to help users recognize and prevent potential fraud. By combining technical measures with user education, the occurrence of such security incidents can be effectively reduced.

Moreover, similar to the incident where BookPad used a backdoored contract to defraud funds and then absconded, this time also deserves our attention for effective prevention. On April 15, 2024, BookPad released a backdoored and non-open-source smart contract and began its presale activities. After receiving sufficient funds, they exploited the backdoor in the contract to withdraw funds and quickly fled with the money.

To prevent similar incidents from happening again, users should gather as much information as possible about the project parties before participating in any investment activities, choosing those projects that are open-source and have undergone rigorous security audits.

In summary, although the TON ecosystem has made significant progress in technology and applications, security issues still cannot be ignored. The TonBit team under BitsLab has effectively enhanced system security and stability by promptly discovering and assisting in the fixing of critical vulnerabilities and has demonstrated professional auditing and solution capabilities in multiple security incidents. In the future, the TON ecosystem will continue to strengthen security measures, improve security strategies, and ensure that it can effectively cope with various potential security challenges while rapidly developing, safeguarding the long-term security of users and the network.

Next, we will delve into how the TON ecosystem can further enhance security in the process of continuous expansion and development to ensure the robust operation of the system and the trust of users. To this end, the TonBit team has conducted a detailed analysis of the security challenges currently faced by the TON ecosystem and the advanced protective technologies that can be adopted, and recommends implementing strict security audits to build a safer and more reliable ecological environment. Through these measures, the stability of the TON network and user trust will be significantly enhanced, driving the continuous healthy development of the TON ecosystem.

Security outlook for the TON ecosystem

The TON ecosystem rapidly develops in expanding decentralized applications (dApps) and infrastructure, but due to its unique architecture and functionality, TON faces some unique security challenges. Here are security recommendations and best practices for TON ecosystem developers:

Node distribution and protection: TON uses sharding and distributed hash table (DHT) technology to improve network scalability, but if node distribution is unbalanced or lacks sufficient protection, it may allow malicious nodes to dominate the network, conducting routing table pollution or network partition attacks. Developers should enhance node verification mechanisms and improve network defense capabilities by increasing node monitoring and blacklisting mechanisms.

Security of smart contracts: The smart contract programming in TON is different from other public chains, with more complex contract logic. Developers should strictly adhere to best practices for secure development, focus on resource management and boundary checks of the code, and avoid common contract vulnerabilities. Conducting code audits and regular reviews of contracts, as well as using contract testing tools can enhance code reliability.

Data integrity and anti-tampering: TON's distributed storage increases the convenience of data sharing and access but also brings tampering risks. Developers can introduce multi-layer data encryption and authentication mechanisms and add data consistency verification between nodes to ensure the integrity of data transmission.

By taking these measures, the TON ecosystem can maintain its high level of security and stability while continuing to expand, providing users and developers with more reliable services.

Summary

In 2024, the TON ecosystem made significant progress in technology architecture, application expansion, and security protection. Its flexible and sharded PoS architecture, high-performance transaction processing capabilities, and rich developer tools laid a solid foundation for the prosperity of the ecosystem. At the same time, in the face of security challenges, the official TON team worked closely with security experts to promptly fix critical vulnerabilities, further enhancing the stability and security of the system. Looking ahead, as the TON ecosystem continues to develop, maintaining focus on and improving security protection capabilities will be key to achieving long-term sustainable development. The continuous progress of the TON ecosystem not only provides new ideas for the development of blockchain technology but also creates a safer and more efficient digital world for users and developers.

To read the full report, please click: https://bitslab.xyz/reports-page

About TonBit

TonBit, as the core sub-brand of BitsLab, is a security expert and early builder within the TON ecosystem. As the main security assurance provider for the TON blockchain, TonBit focuses on comprehensive security audits, including audits of Tact and FunC languages, ensuring that TON-based projects have integrity and security. To date, TonBit has successfully audited several well-known projects, including Catizen, Algebra, UTonic, and has discovered multiple critical vulnerabilities, showcasing our excellence in the field of blockchain security. Additionally, TonBit has successfully hosted the TON CTF competition, attracting numerous participants and gaining widespread attention, further solidifying its status as a security expert in the TON ecosystem. In the future, TonBit will continue to safeguard blockchain security and promote the continuous development of technology and ecosystems.

About BitsLab

BitsLab is an organization dedicated to the security of the Web3 ecosystem, aiming to become a respected security institution in the industry and among users. It has three sub-brands: MoveBit, ScaleBit, and TonBit. It focuses on infrastructure development and security auditing for multiple ecosystems, including Sui, Aptos, TON, BNB Chain, Starknet, and Solana, and specializes in auditing various programming languages, including Circom, Halo2, Move, Cairo, etc.

As a leader in the blockchain security field, BitsLab provides security auditing services for multiple projects, including Movement, Aptos, Tether, UniSat, Nervos CKB, etc., delivering over 400 security solutions, auditing more than 400,000 lines of code, safeguarding 8 billion dollars in assets, and serving over 2 million users. The team comprises several top vulnerability research experts who have discovered critical vulnerabilities in multiple well-known projects. BitsLab is committed to promoting the development of Web3 security and facilitating the healthy growth of emerging ecosystems.

Visit the BitsLab official website: https://bitslab.xyz/

BitsLab official Twitter: https://x.com/0xbitslab

Join the official Telegram community: https://t.me/BitsLabHQ

Official website of the BitsLab sub-brand:

TonBit: https://www.tonbit.xyz/

MoveBit: https://www.movebit.xyz/

ScaleBit: https://www.scalebit.xyz/

Audit inquiries Telegram contact: @starchou