BitsLab releases groundbreaking security research findings: 2024 Emerging Public Chain Security Panorama Insights

This report focuses on four major directions: Move, TON, Bitcoin expansion, and Cosmos application chains. It provides a detailed interpretation from three aspects: technological innovation, security challenges, and historical security events, offering insights and reflections for investors, developers, and white-hat hackers. Some references in this report are sourced from RootData (https://www.rootdata.com).

Move Ecosystem (Aptos, Sui, etc.)

The report introduces how the Move language innovates smart contract programming in resource management, modular design, and built-in security mechanisms, and conducts an in-depth analysis of the innovations and security architecture of Aptos and Sui.

The Move language was originally developed by Facebook (now Meta) for the Diem (Libra) project, aiming to address the performance and security bottlenecks of traditional smart contract languages. Move's design emphasizes the clarity and security of resources, ensuring the controllability of every state change on the blockchain. This innovative programming language has the following significant advantages:

Resource Management Model: Move treats assets as resources, making them non-replicable or destructible. This unique resource management model avoids common issues in smart contracts, such as double spending or accidental asset destruction.

Modular Design: Move allows smart contracts to be constructed in a modular way, enhancing code reusability and reducing development complexity.

High Security: Move has built-in numerous security checks at the language level to prevent common security vulnerabilities, such as reentrancy attacks.

Additionally, the report reviews typical security incidents that occurred in the Move virtual machine and Aptos network from 2023 to the end of 2024, reminding the community to be vigilant about potential issues such as infinite recursion DoS vulnerabilities and memory pool eviction mechanism flaws.

For a detailed review of Move ecosystem security incidents, please download the report to read

TON Ecosystem

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aimed at building a fast, secure, and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology with Telegram's communication features, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared to traditional blockchain platforms, TON offers faster processing speeds and throughput, using a Proof-of-Stake consensus mechanism.

TON employs a Proof-of-Stake consensus mechanism and achieves high performance and multifunctionality through its Turing-complete smart contracts and asynchronous blockchain. The lightning-fast and low-cost transactions of TON are supported by the chain's flexible and sharded architecture. This architecture allows for easy scalability without sacrificing performance. Dynamic sharding involves initially developed separate shards with their own purposes, which can run simultaneously and prevent large-scale backlogs. The block time for TON is 5 seconds, with finalization time of less than 6 seconds.

The existing infrastructure is divided into two main parts:

• Masterchain: Responsible for processing all important and critical data of the protocol, including validator addresses and the amount of coins validated.
• Workchain: Secondary chains connected to the masterchain, containing all transaction information and various smart contracts, with each workchain potentially having different rules.

The TON Foundation operates as a DAO run by the core TON community, providing various support for projects within the TON ecosystem, including developer support and liquidity incentive programs. The report details significant progress made by the TON community in multiple areas in 2024 and also reveals recent vulnerabilities where malicious contracts can lead to resource exhaustion in the virtual machine through nested structures, warning all parties to continuously strengthen contract security audits.

For more detailed content about the TON ecosystem, please download the report to view

Bitcoin Expansion Ecosystem

Layer 2 and sidechain solutions, including Lightning Network, Liquid Network, Rootstock (RSK), B² Network, and Stacks, are driving breakthroughs in Bitcoin's transaction scalability and programmability. The Lightning Network enhances transaction efficiency, Liquid Network accelerates inter-institutional transactions, while Rootstock combines security with smart contracts to expand the dApp ecosystem. Additionally, B² Network and Stacks further deepen Bitcoin's functionality and application scenarios.

The Lightning Network is one of the most mature and widely used Layer 2 solutions for Bitcoin. It significantly increases Bitcoin's transaction speed and reduces fees by establishing payment channels that move a large number of small transactions off the main chain.

Image source: https ://lightning.network/lightning-network-presentation-time-2015-07-06.pdf

Liquid Network is a sidechain running on the open-source Elements blockchain platform, designed for faster transactions between exchanges and institutions. It is governed by a distributed alliance composed of Bitcoin companies, exchanges, and other stakeholders. Liquid uses a two-way peg mechanism to convert BTC to L-BTC and vice versa.

Image source: https ://docs.liquid.net/docs/technical-overview

Rootstock has been the longest-running Bitcoin sidechain since its inception in 2015 and launched its mainnet in 2018. Its uniqueness lies in combining Bitcoin's Proof-of-Work (PoW) security with Ethereum's smart contracts. As an open-source, EVM-compatible Bitcoin Layer 2 solution, Rootstock provides an entry point for the growing dApp ecosystem and aims for complete trustlessness.

B² Network's technical architecture includes a two-layer structure: Rollup layer and Data Availability (DA) layer. B² Network aims to redefine user perceptions of Bitcoin's second-layer solutions.

Since its mainnet launch in 2018 under the name Blockstack, Stacks has become a leading Bitcoin Layer 2 solution. Stacks connects directly to Bitcoin, allowing for the creation of smart contracts, dApps, and NFTs on Bitcoin, significantly expanding Bitcoin's functionality beyond just a value storage tool. It employs a unique Proof-of-Transfer (PoX) consensus mechanism that ties its security directly to Bitcoin without modifying Bitcoin itself.

Image source: https ://docs.stacks.co/stacks-101/proof-of-transfer

Babylon's vision is to extend Bitcoin's security to protect the decentralized world. By leveraging three aspects of Bitcoin—its timestamp service, block space, and asset value—Babylon can transfer Bitcoin's security to numerous Proof-of-Stake (PoS) chains, creating a more robust and unified ecosystem.

While these technologies bring more possibilities to the Bitcoin ecosystem, they also face challenges such as "substitute loop attacks" in the Lightning Network, UTXO calculation errors, and risks associated with PoW rollback mechanisms.

Read the full report for more detailed content about the Bitcoin ecosystem

Cosmos Application Chain Ecosystem

With Tendermint consensus, Cosmos SDK, and IBC cross-chain communication at its core, it features multiple technological innovations in the design concept of blockchain internet.

Cosmos's architecture adopts a Hub and Zone model, where the Hub serves as the core node for cross-chain connections and coordination among multiple Zones (independent blockchains). The innovation of this architecture lies in:

Decentralized Management: Each Zone is an independent, autonomous blockchain that does not rely on a single centralized management node.

Efficient Cross-Chain Connectivity: Through the Hub, Zones can seamlessly communicate and transfer assets across chains, achieving true interoperability.

The report deeply analyzes potential security risks in the Cosmos application chain, from multi-module calling sequences to cross-chain message passing, and combines the security controversies and governance process issues of the Liquidity Staking Module (LSM) to provide warnings and insights for more application chain projects.

Read the full report for more detailed content about the Cosmos application chain ecosystem

Years of Vulnerability Research Findings

The report details nine major types of security vulnerabilities commonly found in the blockchain industry. These vulnerabilities span different technical layers and involve core components of multiple blockchain ecosystems, covering various aspects from cross-chain communication to economic model design.

1. L2/L1 Cross-Chain Communication Vulnerabilities: Cross-chain communication is an important means to enhance the interoperability of blockchain ecosystems, but there are many security risks in its implementation. For example, L2 does not consider L1 block rollbacks, on-chain event forgery, and whether transactions sent to L1 are successful.

2. Cosmos Application Chain Vulnerabilities: As an ecosystem centered on blockchain interoperability, Cosmos allows different blockchains to connect through IBC (Inter-Blockchain Communication protocol). However, there may be some vulnerabilities and security risks in the implementation of Cosmos application chains, such as BeginBlocker and EndBlocker crash vulnerabilities, incorrect use of local time, incorrect use of random numbers, and other vulnerabilities and security risks.

3. Bitcoin Expansion Ecosystem Vulnerabilities: Including Bitcoin script construction vulnerabilities, vulnerabilities caused by unconsidered derivative assets, UTXO amount calculation errors, etc.

4. Common Programming Language Vulnerabilities (such as infinite loops, infinite recursion, integer overflow, race conditions, etc.)

5. P2P Network Vulnerabilities: P2P (peer-to-peer) networks are used for direct connections and communication between distributed nodes in blockchain systems. Although P2P networks provide the network foundation for decentralized systems, they also face a series of common vulnerability types such as shape-shifting attack vulnerabilities, lack of trust model mechanisms, and lack of node quantity limitation mechanisms.

6. DoS Attacks: Including memory exhaustion attacks, disk exhaustion attacks, kernel handle exhaustion attacks, and persistent memory leaks.

7. Cryptographic Vulnerabilities: Cryptographic vulnerabilities can compromise data confidentiality and integrity, posing potential security threats to systems. Major types of cryptographic vulnerabilities include using hash algorithms that have been proven to be insecure, using unsafe custom hash algorithms, and hash collisions caused by unsafe usage.

8. Ledger Security Vulnerabilities: (such as transaction memory pool vulnerabilities, block hash collision vulnerabilities, orphan block processing logic vulnerabilities, Merkle tree hash collision vulnerabilities, etc.)

9. Economic Model Vulnerabilities: Economic models play a crucial role in blockchain and distributed systems, affecting the network's incentive mechanisms, governance structures, and overall sustainability. The economic model vulnerabilities listed in the report require special attention.

Read the full report to understand detailed content about security vulnerability types

Common Attack Surface List

The report also lists 13 common attack surfaces, each of which could become a breakthrough point for hacker attacks, warranting extra attention from developers and project parties:

1. Virtual Machine

2. P2P Node Discovery and Data Synchronization Module

3. Block Parsing Module

4. Transaction Parsing Module

5. Consensus Protocol Module

6. "For other attack surfaces, please refer to the report"

…

Best Practices for Secure Development

Through rich case reviews and offensive and defensive practices, the report distills a systematic approach to security response.

In terms of security protection, this report provides detailed recommendations on best practices for chain development, covering various aspects such as block and transaction processing, smart contract virtual machines, logging systems and RPC interfaces, P2P protocol design to prevent DoS attacks, encryption and authentication at the transport layer, fuzz testing, static code analysis, and third-party security audit processes, aiming to provide clear and feasible security guidance for the entire lifecycle of blockchain projects.

For specific detailed content on best practices for secure development, please download the report to view

Background of the Report:

At the beginning of 2025, reflecting on the past year, blockchain technology has continued to iterate rapidly on a global scale: from transaction processing performance to cross-chain interactions, and to smart contract languages and node expansion solutions, the entire industry is entering a new stage that is more diverse and complex. Meanwhile, various emerging public chain ecosystems have rapidly risen, continuously leading the technological trends and ecological prosperity of the Web3 world with flexible network architectures, innovative programming models, and rich and diverse application scenarios.

However, security risks continue to emerge. Once an attack or vulnerability exploitation occurs, it can lead not only to asset losses on the chain but also potentially cause network paralysis, jeopardizing the stability of the entire blockchain ecosystem. Therefore, BitsLab, a globally leading organization focused on safeguarding and building emerging Web3 ecosystems, has released the “2024 Emerging Public Chain Panorama Observation and Security Research Report” to help industry stakeholders accurately anticipate risks and formulate effective protective strategies.

Company Introduction

BitsLab has long focused on security in the blockchain and Web3 industry, accumulating rich auditing experience and technical expertise. From the Move ecosystem, TON network, to Bitcoin expansion fields and Cosmos application chain ecosystems, BitsLab has provided security auditing and infrastructure support for numerous blockchain projects. The report released this time is both a result of BitsLab's continuous research and practical accumulation and a professional guide for the entire industry: it is hoped that more project parties, investment institutions, researchers, and community members will read this report and steadily advance in the rapidly iterating technological wave, allowing the decentralized world to achieve healthy and sustainable development based on security.

The “2024 Emerging Public Chain Panorama Observation and Security Research Report” is now officially online. Interested friends are welcome to obtain the complete version of the report through BitsLab's official website and partner platforms, gaining deep insights into the forefront of blockchain security dynamics, and working together with BitsLab to build a solid defense for emerging public chains. Let us jointly welcome a broader development prospect for the Web3 world and contribute to a more prosperous and robust future for decentralized ecosystems!

Click to read and download the bilingual report

About BitsLab

BitsLab is a security organization dedicated to safeguarding and building emerging Web3 ecosystems, with the vision of becoming a respected Web3 security institution in the industry and among users. It has three sub-brands: MoveBit, ScaleBit, and TonBit.

BitsLab focuses on infrastructure development and security auditing for emerging ecosystems, covering but not limited to Sui, Aptos, TON, Linea, BNB Chain, Soneium, Starknet, Movement, Monad, Internet Computer, and Solana ecosystems. At the same time, BitsLab has demonstrated profound professional capabilities in auditing various programming languages, including Circom, Halo2, Move, Cairo, Tact, FunC, Vyper, Rust, and Solidity.

The BitsLab team brings together several top vulnerability research experts who have won international CTF awards multiple times and discovered critical vulnerabilities in well-known projects such as TON, Aptos, Sui, Nervos, OKX, and Cosmos.