Study from a technical perspective how TON, a public chain backed by Telegram, rose

In 2018, the Telegram team launched a revolutionary public chain project - TON, which attracted a lot of attention as soon as it was released because of the huge potential Web2 user group behind it.

TON has experienced several twists and turns in its development. In 2023, TON launched the DeFi liquidity incentive plan and held the Hack-a-TON hackathon, aiming to attract top developers from around the world to inject fresh blood into the TON ecosystem and jointly explore cutting-edge technology fields such as DeFi and NFT. Today, it is becoming a rapidly developing and vibrant ecosystem.

TON Development History

In 2018, Telegram founded the Telegram Open Network project and raised about $1.7 billion through ICO, but Telegram was later accused by the SEC of illegal fundraising. In 2020, the Telegram team agreed to pay a fine of $18.5 million to reach a settlement with the SEC, abandon the Telegram Open Network project and return the funds.

The Telegram team then locked all the tokens in the Telegram Open Network into a smart contract, and anyone can participate in mining to obtain TON tokens (TON mining ended in June 2022, and the TON network has been completely transformed into PoS). Telegram handed over the Telegram Open Network to the community, and developers named NewTON community continued to develop it. Later, the NewTON community was renamed TON Foundation, and Telegram Open Network was also renamed The Open Network, which is now the TON public chain.

While Telegram was waiting for the SEC's ruling in 2020, TON Labs forked Telegram Open Network and released the "Free TON" version. Currently, Free TON has been renamed Everscale, and its development path and code are very different from the original TON.

TON on-chain data

Currently, there are 357 validators on the chain, and the total amount of $TON staked under the PoS mechanism is more than 500 million, distributed in 24 countries.

https://www.tonstat.com/#toncoin

source: https://www.tonstake.com/#/

TON Token Data

$TON has token contracts on both the ETH and BSC chains. According to data from the EagleEye platform, on September 17, $TON's on-chain transactions saw a short-term peak, with the Buy/Sell Ratio approaching 1.17. The $TON price reached a recent high of $2.6 on September 20.

source: https://eagleeye.space/detail/toncoin

In addition, EagleEye platform monitored that the recent trading of $TON on the centralized exchange MEXC was very active. On October 5, TON announced that it had received a $10 million investment from MEXC Ventures, and the two parties established a strategic partnership. MEXC will provide marketing services and promotion for the TON ecosystem, and provide $TON mortgage loan services.

source: https://eagleeye.space/detail/toncoin

TON Design Features

1. Smart contract calls are asynchronous

Unlike public chains such as Ethereum, calls between smart contracts on TON are asynchronous. This design improves scalability because when a smart contract calls a function of another smart contract, the call will not be executed immediately and all transactions do not need to be processed in one block. But at the same time, asynchrony also increases the threshold for developers to develop and maintain applications on the TON chain.

source: Beosin

3. Distributed Hash Table

The way blockchain network data is stored and accessed affects the data consistency, accessibility, and security of its network. TON uses hash tables for data storage.

First, a hash table is a data structure that enables fast data access by mapping keys to buckets using a hash function. In TON, the hash table is distributed, meaning that data is stored on multiple nodes in the network.

When a data item needs to be stored, TON uses a hash function to determine which node the data item should be stored on.

When data needs to be retrieved, the same hash function is used to quickly find the node where the data is stored, allowing efficient data insertion, deletion, and lookup operations.

Data is encrypted and redundantly stored on multiple nodes. Even if some nodes fail or are attacked, data can still be recovered from other nodes, ensuring data security and persistence. Compared with traditional hash tables, distributed hash tables provide higher performance and reliability in distributed and large-scale environments.

The following is a comparison between TON and Ethereum and Bitcoin networks:

The "Secret Chats" feature launched in Telegram uses end-to-end encryption technology to improve the security of message transmission between users. At the end of 2022, Telegram further updated and launched a blockchain-based anonymous number login function, allowing users to log in without registering with a mobile phone number and only by saving the mnemonic of the TON wallet, thus providing an additional privacy option.

In January 2023, TON further expanded its functionality and released TON Storage. This is a peer-to-peer file sharing system that has some similarities to Dropbox and torrents. The system is characterized by simplifying the file exchange process and providing encryption protection for files stored on the blockchain. At the same time, in order to ensure the persistent storage of files, node operators who host these files can also receive corresponding incentives.

TON Development Language

When developing smart contracts on TON, developers have three programming language options: Fift, FunC, and Tact. Fift is a low-level language that includes TVM and Fift assembly instructions. It is difficult to develop with Fift, and very few developers choose to use the Fift language to develop smart contracts. Tact is a new high-level language launched by TON, with a syntax similar to Typescript, designed to reduce the difficulty of development. The most commonly used development language is FunC, which is a programming language similar to C.

source: Beosin

When developing TON smart contracts, the Beosin security team recommends that developers pay attention to the following 7 points :

1. Both FunC and Tact are statically typed languages. Developers need to be very clear about the data types stored in the variables in their code. Reading unexpected types and values ​​will cause errors.

2. The TON blockchain does not contain revert messages. Therefore, developers need to consider the end path of the code execution.

3. The TON blockchain has multiple transaction phases: computational phase, actions phase, and bounce phase. Contract code is executed in the computational phase, and messages are sent in the actions phase. Therefore, developers need to pay attention to the current phase of transaction execution when testing the code.

4. Functions with the method_id identifier in FunC can be used to receive internal and external messages of the blockchain.

5. The TON blockchain is asynchronous, and developers need to pay attention to handling failed call information.

6. Pay attention to the code for processing bounced messages in smart contracts. If a smart contract sends a bounced message with TON assets to other accounts, it is recommended to deduct gas fees in the smart contract.

7. For external messages, developers need to be aware of the risk of replay attacks. Replay attacks can be avoided by setting counters or identifiers.

The Beosin security team has officially launched a security audit service for TON smart contracts, aiming to discover and assist project owners in fixing security risks in the project in advance and to protect the asset security of users and project owners . The main security audit items include:

1. Replay Attack

The simplest way to protect smart contracts from replay attacks on external messages is to store a 32-bit counter cur-seqno in the smart contract's persistent data and expect a req-seqno value in any inbound external message (signature part). The external message will only be accepted if the signature is valid and req-seqno is equal to c007r-seqno. After successful processing, the cur-seqno value in the persistent data is increased by one, so the same external message will not be accepted again.

Without seqno (or other mechanisms to prevent replay attacks), anyone (usually the recipient of funds) can read the transaction data (e.g. from a blockchain explorer) and create another fake transaction and resend it to the original wallet smart contract and force it to resend the TON again, eventually draining it of all its funds.

2. Access Control

In the contract, only certain users should have the authority to perform certain operations. For example, NFT transfers should only be performed by the NFT owner (or an account authorized by the owner). The contract should strictly check the authority, and if it passes, the transfer operation will be performed. If it fails, the transaction should be rolled back.

3. Variable coverage

In FunC contracts, variables are written through the set_data function. If the variable order or variable name is written incorrectly, it is easy to accidentally write the wrong variable and overwrite the original variable.

4. Business Design

Some project contracts are designed to be vulnerable to attacks, and it is necessary to strictly consider whether there is a possibility of attack in the design from the attacker's perspective.

5. Business Implementation

In some projects, there is no attack risk in the design, but when it comes to implementation, there are problems that are not in accordance with the original design or implementation method, which leads to vulnerabilities.

6. Error Handling

Due to the design of TON, the end path of the code needs to be considered by developers. The contract may receive bounced messages, and the contract needs to handle these messages correctly. In addition, when handling bounced messages, it is also necessary to consider the situation of gas exhaustion, which can also cause unexpected errors.

7. Check missing

Each stage of the message flow needs to be checked. An attacker can start another message flow while the first stage of the message flow is executing, causing the previous check to fail.

8. Message flow error

The message flow should be ensured to comply with the design, otherwise unexpected errors and losses may occur.

9. Data structure check

There will be functions in FunC for message passing and stages, which may have problems (for example: the end_parse() function checks whether the slice is empty, otherwise it throws an exception. It ensures that the slice has the expected effect. The logic of throwing exceptions may be written incorrectly when the code is written, such as throwing an exception but not returning a value. Other functions may also have the same problem).

10. Serialized message passing problem

There may be errors in serializing messages in receiving or getting functions, such as send_raw_message function.

a. Function naming, configuration naming, private variable naming, whether the get function returns a reasonable value, revert judgment, and 0 address check.

b. Some privilege risks. There will also be such functions in func, which can increase centralization or excessive permissions.

The msg call in FunC is different from the usual one. The signature and call length are sent according to the position, which may cause problems.

TON Ecosystem

There are currently 551 apps in the TON ecosystem, distributed in more than 19 sub-sectors.

wallet

Ton Space is a non-custodial wallet in @wallet and a native wallet embedded in Telegram. It can be used to import existing TON blockchain wallets or create new TON blockchain wallets. Users can also choose to use TG accounts and emails to save corresponding private keys and view, send and trade NFTs. Ton Space will soon support more features, including DeFi applications such as DEX, staking and lending protocols, and users can use TON Connect to access third-party dApps on TON.

https://wallet.tg/

Currently, the TON blockchain wallet that supports the largest number of platforms is Tonkeeper, which supports web and mobile terminals. Users can also view NFTs on the TON chain on the mobile terminal. It is worth noting that TON's wallet is a smart contract wallet, which not only enables more sharding of the TON network, but also provides the wallet with the possibility of realizing more complex applications.

https://tonkeeper.com/

DEX

Currently, there are 6 major decentralized exchanges in the TON ecosystem, including Megaton Finance, ION Finance, DeDust, STON.fi, Flex and Tegro Finance. These DEXs have different focuses in terms of user audiences. Ston.fi and DeDust have the largest user base (users who swap), while DeDust and Megaton have more active users.

https://megaton.fi/pool

In addition, Storm Trade, an exchange with a decentralized order book model, is currently under testing. It supports both the web version and the Telegram bot mode. In the future, users can directly interact with the bot developed by Storm Trade.

Borrowing

The first lending project of TON chain, Evaa Protocol, is expected to launch the Beta version on October 10. On July 19, Evaa Protocol announced that TONcoin.fund became its strategic investor, and on October 2, it completed a private placement of $130,000 on the Tonstarter platform. The addition of the lending protocol Evaa Protocol will benefit the asset liquidity of the TON ecosystem.

https://evaa.finance/

Cross-chain bridge

Currently, TON's official cross-chain bridge supports cross-chain assets between TON and ETH, and BSC, and the official cross-chain bridges of other chains are still under development.

In addition, third-party cross-chain bridges include Orbit Bridge, Wallet Bridge and Tontake Bridge. Orbit Bridge and Megaton Finance are both developed by the KlaySwap team, a DEX platform on the Korean public chain Klaytn, and support cross-chain of 11 public chains. Wallet Bridge and Tontake Bridge are in the form of Telegram bots, but they are used by fewer people, so users need to pay attention to the risks of interaction.

Data Platform

https://beta.redoubt.online/

Its development team Devnull won the second prize in the Hack-a-Ton hackathon supported by Beosin in July this year, and will support more TON-related data analysis in the future.

TON’s Present and Future

Currently, TON is vigorously developing the DeFi ecosystem. This year, TON has held two large hackathons, both of which were related to DeFi. As the exclusive security partner of Hack-a-ton x DWF Labs x AWS, Beosin provides developers with workshop guidance and weekly Q&A to solve the challenges faced by developers in building TON ecosystem projects .

Beosin becomes TON hackathon partner

In addition, TON has been vigorously organizing community gatherings and developer training camps in various regions to attract more developers to participate in the construction of the TON ecosystem. Beosin hosted TON offline meetups in Singapore and Bali as a local partner in July and August this year, and provided contract development training and security audit discounts for the participating teams of the Seoul Tact BootCamp.

Beosin collaborates with TON community

While the second hackathon was underway, TON opened applications for the ecosystem project liquidity incentive program on June 6 to support DeFi projects in the TON ecosystem and attract more users.

It will not be difficult for Telegram trading bots such as Unibot and Banana Gun to support the trading of TON ecosystem tokens in the future.

Beosin's EagleEye on-chain monitoring platform also plans to launch a Telegram bot in the future to provide users with quick project information and data query . Currently, EagleEye already supports analyzing on-chain whale addresses, detecting contract risks, monitoring project social media platforms, and providing users with comprehensive project information.

https://eagleeye.space/detail/toncoin

In summary, with the gradual construction of the ecosystem and TON's advantages in mobile terminals, TON still has great potential and has a great chance of attracting a large number of users to participate in its ecosystem in the future.