TonBit Report: 2024 TON Ecosystem Panorama Observation and Security Research Report

1. Introduction

This report is jointly produced by TonBit, a sub-brand of the Web3 blockchain security audit company BitsLab, in collaboration with its partner TONX. With the continuous development of blockchain technology and its increasingly widespread application, the TON ecosystem continues to show strong growth momentum in 2024, attracting significant attention from developers, investors, and users.

In 2024, the TON ecosystem has made significant progress in areas such as technological innovation, application implementation, and community building, further consolidating its position in the blockchain field. However, with the rapid development of the ecosystem, security issues have become increasingly prominent. How to effectively prevent and respond to evolving security threats has become an important topic for the TON ecosystem.

2. Overview of the TON Ecosystem

2.1 Introduction to the TON Ecosystem

Basic Introduction and Architecture

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aimed at building a fast, secure, and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology with Telegram's communication capabilities, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared to traditional blockchain platforms, TON offers faster processing speeds and throughput, utilizing a Proof-of-Stake consensus mechanism.

2.2 Why Choose TON

In competition with the strong liquidity and community of Bitcoin and Ethereum, TON demonstrates unique advantages. The blockchain trilemma proposed by Vitalik Buterin describes the challenges Layer 1 networks face in balancing security, scalability, and efficiency. While Bitcoin and Ethereum each have their pros and cons, TON overcomes many of these challenges through its flexible and sharded PoS architecture.

2.2.1 Flexible and Sharded PoS Architecture

TON employs a Proof-of-Stake consensus mechanism and achieves high performance and versatility through its Turing-complete smart contracts and asynchronous blockchain. The lightning-fast and low-cost transactions of TON are supported by the chain's flexible and sharded architecture. This architecture allows for easy scaling without sacrificing performance. Dynamic sharding involves initially developed separate shards with their own purposes, which can run simultaneously and prevent large-scale congestion. TON has a block time of 5 seconds and a finalization time of less than 6 seconds.

The existing infrastructure is divided into two main parts:

● Masterchain: Responsible for processing all important and critical data of the protocol, including the addresses of validators and the amount of coins validated.

● Workchain: Secondary chains connected to the masterchain that contain all transaction information and various smart contracts, with each workchain potentially having different rules.

2.2.2 Expanded Use Cases and Advantages

The TON Foundation operates as a DAO managed by the core TON community, providing various support for projects within the TON ecosystem, including developer support and liquidity incentive programs. In 2024, the TON community made significant progress in several areas:

● Launch of TON Connect 2.0: Provides an intuitive way to connect wallets and applications, improving user experience.

● TON Verifier: A smart contract checker created by the Orbs team, enhancing the reliability of contracts.

● Blueprint Development Tools: Helps developers write, test, and deploy smart contracts.

● Sandbox Developer Toolkit: Suitable for various use cases from enterprises to governments.

● Beta Version of Tact Language: Facilitates a more powerful programming environment.

● Internationalization of TON Society: Launching international centers in multiple cities worldwide.

● DeFi Liquidity Incentive Program: Provides funding for projects, promoting sustainability in the TON DeFi space.

2.3 Overview of TON's Development Directions and Goals in 2024

TON's development roadmap includes many exciting plans, such as a stablecoin toolkit, sharding tools, and native bridges for BTC, ETH, and BNB.

● Gas-free Transactions: TON may subsidize Gas fees in certain situations to attract more users.

● Separation of Validator Nodes and Packing Nodes: A significant upgrade to TON's scalability, aiming to onboard 500 million Telegram users by 2028.

● Election and Configuration Contract Updates: Allowing users to vote on network proposals.

● TON Stablecoin Toolkit: Enabling anyone to issue algorithmic stablecoins pegged to local fiat currencies.

● Jetton Bridge: Allowing users to send TON tokens to other chains.

● ETH, BNB, and BTC Bridge: Launching official bridges to bring major cryptocurrencies to TON.

● Non-native Tokens: Allowing TON users to create tokens similar to native ones.

3. Ecosystem Development Status

3.1 Ecosystem Overview

The official website of the TON Foundation showcases nearly 1,000 applications covering a wide range of fields, such as decentralized finance (DeFi), gaming, social media, and utility applications. Through these projects, the TON Foundation demonstrates its leading position in blockchain technology and promotes innovation and ecosystem development.

3.2 Key Metrics of the TON Ecosystem

As of July 27, 2024, the number of validator nodes on the TON chain is 383, with a total staked amount of over 590 million $TON distributed across 29 countries. The number of daily active addresses reached 373,000, a year-on-year increase of 5360%. The TON network's DeFi ecosystem shows strong growth momentum, with the number of unique users reaching 1,784,089 and a total locked value (TVL) of $706,307,873, with 26,297 liquidity providers.

3.3 How TON Becomes a Powerful Decentralized Gaming Platform

3.3.1 Main Reasons for Building Decentralized Games on TON

Developing decentralized games on the TON blockchain offers a range of advantages for businesses and developers:

● Integration with Telegram: Provides access to over 900 million monthly active users.

● Powerful User Acquisition and Retention Tools: Including the Telegram app center and advertising tools.

● Fast and Efficient Blockchain: Processing over 100,000 transactions per second while maintaining low fees.

● Diverse Monetization Opportunities: Such as in-app advertising and tradable non-fungible tokens.

● Simple and Accessible: Provides a complete set of tools suitable for GameFi Web3 developers and players.

4. TON Ecosystem Security Research

4.1 How to Develop Securely on TON

To ensure the security of smart contracts, a series of security measures must be taken. Here are some key security practices for the TON ecosystem:

1. Access Control

Description: When there are important logic or sensitive operations in the contract that require specific authorized users to execute, access control should be implemented to prevent attackers from executing sensitive operations, which could cause serious damage.

Practice:

Identify which operations require permission control.

Limit access to operations requiring permission by verifying the sender of the message.

Regularly review and update access control policies to adapt to changes in contract requirements.

Specific proposals can be referenced:

https://github.com/ton-blockchain/TEPs/pull/180
https://github.com/ton-blockchain/TEPs/pull/181

2. Validate Message Inputs

Description: If there is a lack of proper validation or filtering of external inputs in smart contracts, it can lead to malicious users or attackers inputting harmful data, potentially resulting in unsafe behavior or vulnerabilities.

Practice:

Strictly validate and filter all external inputs, including verifying data types, checking boundary conditions, and sanitizing user inputs.

Consider all possible input scenarios, including edge cases and unexpected inputs.

Regularly audit and test input validation logic.

3. Check Gas Usage

Description: When handling internal messages, the sender usually needs to pay Gas fees. When processing external messages, the contract pays for Gas usage. This means caution is needed regarding Gas usage in external messages. Contracts should always be tested for Gas usage to verify that everything operates as expected and to avoid vulnerabilities that could deplete the contract balance.

Practice:

Monitor and optimize Gas usage during development.

Use Gas limits to prevent high-consumption operations.

Regularly test the contract's Gas consumption under different scenarios.

4. Timestamp Dependency

Description: Some smart contracts' behavior relies on block timestamps, which can be manipulated by validators. For example, validator nodes can selectively include or exclude certain transactions or adjust timestamps for certain purposes. This behavior can lead to manipulation of contract logic, posing security risks.

Practice:

Avoid directly relying on block timestamps for critical logic decisions.

If timestamps must be used, ensure they are derived from more reliable and uncontrollable methods.

Adopt a time buffer mechanism that allows time to vary within a certain range, reducing reliance on a single point in time.

Regularly review contract logic to ensure it is not affected by timestamp manipulation.

5. Integer Overflow

Description: Integer overflow and underflow occur when arithmetic operations exceed the variable's representable range, leading to incorrect calculations. Integer overflow typically happens in addition, subtraction, multiplication, etc. If not controlled, it can lead to serious security issues, such as incorrect balance calculations or unintended fund transfers.

Practice:

Use safe math libraries to handle integer operations.

Add overflow checks before and after all mathematical operations.

Regularly audit contract code to ensure all integer operations are protected.

6. Rounding Errors

Description: The risk of rounding errors refers to inaccuracies in calculations due to limitations in precision or improper rounding methods in numerical operations. Especially when dealing with currency or high-precision numbers, rounding errors can lead to financial losses or unfair distributions.

Practice:

Use high-precision numerical libraries or fixed-point libraries for currency calculations.

Regularly test and validate numerical operation logic to ensure precision meets expectations.

Clearly annotate rounding methods in the code to ensure consistency.

7. Denial of Service

Description: The risk of denial of service refers to consuming the computational resources of a smart contract or triggering error conditions, causing the contract to fail to execute normally or to become stuck in endless operations. This can prevent legitimate users from interacting with the contract and even block contract state updates.

Practice:

Limit the number of iterations or recursion depth to avoid long-running operations.

Check remaining Gas before critical operations to avoid transaction failures due to insufficient Gas.

Regularly review and optimize contract logic to ensure efficiency and reliability.

Use event logs to record important operations for troubleshooting and recovery.

8. Business Logic

Description: Business logic vulnerabilities refer to design flaws or implementation errors in smart contracts that lead to abnormal behavior under certain circumstances. These vulnerabilities can be exploited by malicious users, resulting in financial losses, data tampering, or contract functionality failures. Business logic vulnerabilities are typically not coding errors but misunderstandings or incomplete implementations of business requirements and processes.

Practice:

Deeply understand and analyze business requirements to ensure logical design correctness.

Regularly conduct code audits and logic validations to promptly identify and fix vulnerabilities.

Write comprehensive test cases covering all possible business scenarios.

Through the above security practices, we can significantly enhance the security of smart contracts, reduce risks, and ensure stable operation and safety of users' funds.

4.2 Review of Security Incidents in the TON Ecosystem

In 2024, several security incidents occurred within the TON ecosystem, revealing challenges in its security. Below are detailed descriptions of some significant incidents, analyses of their causes, impacts, and solutions, along with a summary of some typical security vulnerabilities.

1. A staking contract of a certain protocol was attacked, resulting in significant token losses

Date: May 22, 2024

Loss Amount: /

Root Cause: Parameter configuration error

Description:

After celebrating the prosperous staking activities of the TON ecosystem, a staking contract of a certain protocol was attacked due to incorrect protocol parameter configuration, leading to a large number of tokens being stolen from the contract. After the incident, the project team immediately suspended the staking reward claiming function and allocated a large amount of $USDT to repurchase the lost 307,264 tokens.

Following the attack, the project team quickly contacted TonBit for an audit. TonBit demonstrated its professionalism, responding swiftly and assembling a team of security experts to conduct a comprehensive and detailed security audit of the project's core code. TonBit's security experts identified 6 low-risk issues and communicated them in detail with the project team. With rich experience and professional technical capabilities, TonBit not only provided specific solutions to the issues but also assisted the team in quickly resolving all problems, ensuring the contract's security and stability.

Issues related to configuration discovered by TonBit during the audit:

Solution: Modify parameter configuration

2. Hackers misled users by manipulating controllable comment information displayed in wallets

Date: May 10, 2024

Loss Amount: 22,000 TON

Root Cause: Comment information displayed during wallet transactions may mislead users

Description:

When processing transfer messages in Ton, while comments can be added, some wallets have potential misleading risks in their UI design when displaying these comments. This design flaw was exploited by hackers, who manipulated the comment content of transfer messages to display false information to users during transactions, leading to user misoperations and financial losses.

Solution:

To address this issue, wallet applications need to add prominent disclaimers when displaying this information, warning users that the content may not be trustworthy. Additionally, wallet development teams should improve UI design to ensure transparency and reliability in transaction information display. Users also need to enhance their discernment and remain vigilant against suspicious transaction information.

Further Measures:

TonBit recommends that wallet development teams introduce multi-layer verification mechanisms when displaying transaction comment information, such as verifying the source of the comment information to ensure its reliability. Additionally, regular user education and the release of security tips can help users identify and prevent potential fraudulent activities. By combining technical measures with user education, the occurrence of such security incidents can be effectively reduced.

3. BookPad used a backdoored contract to defraud funds and then absconded with the money

Date: April 15, 2024

Loss Amount: 74,424 TON

Root Cause: BookPad used a backdoored contract to siphon user funds and then fled

Description:

BookPad released a non-open-source smart contract with a backdoor and began a presale activity. After receiving sufficient funds, they exploited the backdoor in the contract to withdraw the funds and then quickly absconded with the money.

Solution:

To prevent similar incidents from occurring again, users should gather as much information as possible about the project team before participating in any investment activities, choosing projects that are open-source and have undergone rigorous security audits.

TonBit advises users to pay special attention to the following points:

1. Project Open Source: Confirm that the smart contract code is open-source, allowing independent security experts to review it for hidden vulnerabilities or malicious code.

2. Security Audit: Choose projects that have been audited by reputable security audit firms. Security audits can identify and fix potential vulnerabilities in contracts, providing additional assurance.

3. Background Investigation of the Project: Investigate the background of the project team, the credibility of team members, and their track records. Projects with high transparency and good reputations are more trustworthy.

4. Community Feedback: Pay attention to community feedback on the project, participate in discussions, and understand the project's reputation and potential risks.

Further Measures:

TonBit suggests introducing stricter regulatory and auditing mechanisms within the TON ecosystem to conduct qualification reviews of new projects, ensuring they meet security standards. Additionally, a public contract code repository could be established, allowing only audited contracts to be used. This would significantly reduce the risk of user funds being stolen and enhance the overall security and credibility of the TON ecosystem.

5. How Users Can Stay Safe on TON and Telegram

With the rapid development of the TON and Telegram ecosystems, there are now over 38 million active accounts, and the increased attention has brought greater risks.

Scammers and malicious actors target the influx of novice users, making it crucial to remain vigilant and aware of potential risks, even in the safest ecosystems. Here are the most common scams you should be aware of.

5.1 Common Scams

1. Friends in Urgent Need: Scammers impersonate friends or family members, urgently requesting funds. Always verify their identity.

2. Phishing Websites: Fake websites mimic real ones to steal login information. Check URLs and avoid clicking on unknown links.

3. Investment Scams: These scams are very common in the cryptocurrency space, promising high returns without proof. Do thorough research; if it sounds too good to be true, it probably is.

4. Fake Surveys: Offering rewards for participating in surveys to steal personal information. Avoid providing detailed information to unknown surveyors.

5. Fake Job Opportunities: Attractive job ads requesting personal information, app downloads, or fees. Verify through official channels.

6. Classified Ad Scams: Fake ads lead you to fraudulent Telegram bots to steal information.

7. Pump and Dump: Groups manipulate cryptocurrency prices for profit, causing losses for others. Always research and verify investment advice.

8. Romance Scams: In online relationships, scammers request money or personal information. Be cautious of requests for money from people you meet online.

5.2 Beware of Toncoin Pyramid Schemes

Telegram's support for the TON blockchain has unfortunately attracted some scammers trying to exploit unsuspecting users. Here’s a detailed analysis of this scam:

1. Setup: Scammers send links to "exclusive money-making plans," seemingly from friends or contacts. They guide users to join an unofficial Telegram bot, falsely claiming it is for storing cryptocurrency.

2. Investment: Users are instructed to purchase Toncoin through legitimate channels (like wallets, P2P markets, or cryptocurrency exchanges). This adds false credibility. Once purchased, users must transfer their Toncoin to the scam bot.

3. Accelerator: Victims are forced to purchase "accelerators" through a separate bot, costing between 5 to 500 Toncoin. At this stage, users lose their cryptocurrency.

4. Recruitment: Scammers promote referral programs, asking users to create private Telegram groups and invite friends. They promise a fixed payment of 25 TON for each referral and commissions based on the accelerators purchased by referrals.

In reality, this is a typical pyramid scheme. Scammers profit while others lose their investment.

5.3 How to Avoid Online Scams

To protect yourself from online scams and ensure the security of your Telegram account, follow these basic steps:

1. Enable Two-Step Verification on Telegram: Go to "Settings > Privacy and Security > Two-Step Verification" to add an extra layer of security to your account.

2. Verify Contacts: Be cautious of unsolicited messages, especially those requesting personal information or funds. Confirm the sender's identity through other means.

3. Regularly Check Telegram Account Activity: Go to "Settings > Devices > Active Sessions" to check for unknown devices or sessions.

4. Report Suspicious Activity: If you encounter scams, report them to Telegram.

5. Avoid Get-Rich-Quick Schemes: Be wary of these schemes, even if recommended by friends or family, as they may also be victims.

6. Do Not Transfer Cryptocurrency to Unknown Wallets: Always verify the recipient's identity before transferring cryptocurrency to avoid being scammed.

Staying safe in TON and Telegram requires vigilance and awareness. By recognizing common scams and following these security tips, you can protect your assets and personal information. Always verify sources, remain skeptical of offers that seem too good to be true, and conduct transactions only through official channels. Stay informed and cautious, and you can enjoy the benefits of TON and Telegram without becoming a victim of fraud!

6. Conclusion

The reason for choosing TON lies in recognizing the ecosystem of Telegram itself. Deploying your Web3 project on TON can leverage Telegram's vast user base, with over 700 million monthly active users. This integration provides a fertile environment for the prosperity of decentralized applications. TonBit is committed to providing comprehensive security assurance for the TON ecosystem, helping projects achieve higher security standards and user trust. As the guardian of security in the TON ecosystem, TonBit will continue to strive to contribute to the development of blockchain technology.

Complete report link: https://tonbit.xyz/reports-page or click "Read the original" to view the complete report.