The continued popularity of Friend.tech has once again drawn the market’s attention to the SocialFi track. Currently, Friend.tech competitors from various chains are emerging one after another. TOMO from Linea chain and New Bitcoin City from NOS chain have both exceeded $1 million in TVL in a short period of time due to their own innovations, becoming newcomers in the SocialFi track.
As such SocialFi projects are developing in full swing, the related security risks have received widespread attention from the community. At the end of August, Friend.tech suffered a privacy leak due to its API access design; on October 7, Stars Arena on the Avalanche chain had a reentrancy vulnerability, and hackers reentered and called the 0x5632b2e4 function in its contract, causing the final calculation result of the sellShares function to be abnormally large, and the protocol lost about $2.9 million.
Previously, Beosin conducted a detailed analysis of Friend.tech’s design mechanism and potential security risks. Today, the Beosin security team will analyze new projects TOMO and New Bitcoin City to help you understand the potential risks.
TOMO Introduction
TOMO is a competitor of Friend.tech on Linea's second-layer network. It launched the "Vote" mechanism based on Friend.tech. Vote is the credential of Twitter users before registering with TOMO. Other users can directly trade the Vote of unregistered users. After the user registers, the corresponding Vote will be converted into Key.
The introduction of Vote has to some extent avoided the proliferation of preemptive robots, and there is no need to monitor Twitter users to enter and abuse transactions. At the same time, 5% of the proceeds from the Vote transaction will be distributed to the Twitter user corresponding to the Vote, and the user can receive the proceeds as long as he registers TOMO. This provides an economic incentive for Twitter users to enter TOMO.
TOMO Risk Analysis
Beosin has previously completed the audit of Tifo.trade, the largest derivatives exchange on the Linea public chain. This time, we scanned the TOMO business contract through the Beosin VaaS tool, combined with the analysis of Beosin security audit experts, and found that TOMO has the following risks:
1. Business risks
TOMO's business contract has been open sourced. By looking at its contract code, we can find that its basic pricing model is similar to Friend.tech. If S is the current holding amount, TOMO's Key price model is S^2/43370, while Friend.tech's price model is S^2/16000. This makes TOMO's Key price rise more slowly, which to some extent attracts more users to participate in transactions.
However, the essence has not changed. Since the larger the total number of keys, the higher the buying and selling prices, early users may purchase a large number of keys, while later users may suffer losses from the equity they purchase. Be aware of the risks when investing.
Friend.tech’s Pricing Model 2. Centralization Risk
Similar to the Friend.tech risk, TOMO’s centralization risk cannot be ignored. The owner of the contract can adjust the fee rate without limit, thereby charging high fees, and can even set a 100% fee so that users cannot receive the money from selling, or set a fee rate of more than 100% to suspend the buying and selling functions.
source: https://lineascan.build/address/0x9e813d7661d7b56cbcd3f73e958039b208925ef8 3. Private key risk (ERC-4337 wallet)
According to the information displayed by TOMO, the wallet generated by TOMO after user registration is an ERC-4337 wallet (account abstract wallet). The community has questioned the asset security of such wallets.
First of all, Friend.tech and most of its competitors, such as Stars Arena, use EOA wallets, which are ordinary external wallets. EOA wallets need to sign each transaction initiated with a private key, which is relatively troublesome for interactive applications. At the same time, it is difficult for users to safely save their private keys. Previously, Deribit's hot wallet was stolen for $28 million. Beosin shared in detail how to ensure wallet security.
To solve the above problems, the ERC-4337 proposal implements account abstraction by introducing a transaction object called "UserOperation". Users can use a single wallet account (account abstraction wallet) with both smart contract and EOA functions. Different users send UserOperation objects to the UserOperation memory pool. The Bundler packages the transaction and submits it to the Ethereum memory pool. The packaged transaction will be verified by the Entry Point contract, and then call a specific Wallet contract to perform specific operations, and then go on the chain. The process is shown in the figure below:
source: https://eips.ethereum.org/EIPS/eip-4337
Through the workflow of ERC-4337, we can know that account abstract wallet has the following potential risks:
(1) Contractual risks
The Entry Point contract and the Wallet contract need to be implemented by the project owner. Currently, TOMO has not open-sourced the relevant contracts. The Entry Point contract is responsible for verifying the legitimacy of the transaction submitted by the Bundler and calling a specific Wallet contract based on the transaction. If there are business logic vulnerabilities in the Entry Point contract and the Wallet contract, hackers can attack by constructing specific transactions.
(2) Private key-related risks
Under the ERC-4337 solution, if the user forgets the private key, there may be other solutions to restore the wallet (depending on the project's solution design). However, the theft/leakage of the private key to others may also cause the user's asset loss. On October 18, TOMO opened the function of exporting the wallet private key. Users need to export the private key and prevent the private key from being stolen.
Description of New Bitcoin City
New Bitcoin City (or Alpha) is a social application similar to Friend.tech based on the second-layer network NOS of Bitcoin, which supports both web and mobile terminals. Users can trade New Bitcoin City and Friend.tech Keys in New Bitcoin City. Previously, the New Bitcoin City team also launched the GameFi project Mega Whales and the DeFi project New Bitcoin DEX.
link: https://pro.newbitcoincity.com/ New Bitcoin City Risk Analysis
1. Business risks
New Bitcoin City also uses a similar pricing model to Friend.tech, with PRICE_KEYS_DENOMINATOR of 264000 and NUMBER_UNIT_PER_ONE_ETHER of 10. Compared to TOMO, the price increases more slowly.
source: https://explorer.l2.trustless.computer/address/0x9b5A4a3cF82F6860fB26c2626b0278071e7997a9/contracts#address-tabs 2. Network risks
In addition to the same centralization risks as TOMO, according to the New Bitcoin City team, NOS uses Trustless Computer Layer2 technology to run its contracts. Trustless Computer was also developed by the New Bitcoin City team. It is compatible with Ethereum based on OP Stack at the execution layer and completes data verification on the Bitcoin network.
source: https://docs.trustless.computer/blockchain-architecture/rollups-on-bitcoin
Currently, only the New Bitcoin City social application is active on the network, and the stability and security of the network have not been tested.
3. Private key management
New Bitcoin City is similar to Friend.tech. Users generate an EOA wallet after authorizing the app with Twitter for the first time. However, the wallet is generated in the background of New Bitcoin City, and its private key generation and storage process is still unknown.
Summarize
Friend.tech's competitors have improved and innovated on the basis of Friend.tech. The core pricing model remains basically unchanged, and improvements have been made in user interaction, but the storage problem of user wallet private keys has not been well solved. The centralization risk of the contract is obvious, and users need to do a good job of project research when interacting.
As a world-leading blockchain security company, Beosin has established branches in more than 10 countries and regions around the world. Its business covers code security audits before project launch, security risk monitoring, early warning and blocking during project operation, recovery of stolen virtual currency assets, security compliance KYT/AML and other "one-stop" blockchain security products + services. It has currently provided security technology services to more than 3,000 blockchain companies around the world and audited more than 3,000 smart contracts. Please click on the message box of the official account to contact us.
