BitsLab 2024 Panoramic Insights on Emerging Public Chain Security: From MOVE Ecology to Bitcoin Expansion Track

The report focuses on the four major directions of Move, TON, Bitcoin expansion and Cosmos application chain, and provides detailed interpretations from three directions: technological innovation, security challenges, and historical security incidents, providing some experience for investors, developers, and white hat hackers. And thinking direction:

Move ecosystem (Aptos, Sui, etc.)

The report introduces how the Move language innovates smart contract programming in terms of resource management, modular design, and built-in security mechanisms, and provides an in-depth analysis of the respective innovation points and security architectures of Aptos and Sui.

The Move language was originally developed by Facebook (now Meta) for the Diem (Libra) project, aiming to solve the performance and security bottlenecks of traditional smart contract languages. The design of Move emphasizes the clarity and security of resources, ensuring the controllability of every state change on the blockchain. This innovative programming language offers the following significant advantages:

Resource Management Model: Move treats assets as resources, making them non-copyable or destroyable. This unique resource management model avoids double-spending or accidental asset destruction issues that are common in smart contracts.

Modular design: Move allows smart contracts to be built in a modular manner, improving code reusability and reducing development complexity.

High security: Move has built-in a large number of security checking mechanisms at the language level to prevent common security vulnerabilities, such as reentrancy attacks.

In addition, the report also reviews typical security incidents that occurred in Move virtual machines and Aptos networks from 2023 to the end of 2024, in order to remind the community to be wary of potential infinite recursive DoS vulnerabilities, memory pool eviction mechanism defects and other issues in the network.

For a detailed review of the Move ecological security incident, please download the report to view and read.

TON Ecology

TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aiming to build a fast, secure and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology and Telegram's communication functions, TON achieves high performance, high security and high scalability. It supports developers to build various decentralized applications and provides distributed storage solutions. Compared with traditional blockchain platforms, TON has faster processing speed and throughput, and adopts a Proof-of-Stake consensus mechanism.

TON uses a proof-of-stake consensus mechanism and achieves high performance and versatility through its Turing-complete smart contracts and asynchronous blockchain. TON’s lightning-fast and low-cost transactions are powered by the chain’s flexible and shardable architecture. This architecture allows it to scale easily without losing performance. Dynamic sharding involves the initial development of separate shards with their own purposes that can run concurrently and prevent massive backlogs. TON has a block time of 5 seconds and a finalization time of less than 6 seconds.

The existing infrastructure is divided into two main parts:

●Masterchain: Responsible for processing all important and critical data of the protocol, including the address of the verifier and the amount of coins verified.

●Workchain: A secondary chain connected to the main chain, containing all transaction information and various smart contracts. Each workchain can have different rules.

The TON Foundation is a DAO operated by the TON core community and provides various support to projects in the TON ecosystem, including developer support and liquidity incentive programs. The report details the significant progress that the TON community has made in many aspects in 2024. The report also reveals recent vulnerabilities in malicious contracts that can lead to virtual machine resource exhaustion through nested structures, warning all parties to continue to strengthen contract security audits.

For more details about the TON ecosystem, please download the report to view.

Bitcoin expands ecology

Layer 2 and side chain solutions including Lightning Network, Liquid Network, Rootstock (RSK), B² Network, Stacks, etc. are driving Bitcoin’s breakthroughs in transaction expansion and programmability. Lightning Network improves transaction efficiency, Liquid Network accelerates inter-institutional transactions, and Rootstock combines security and smart contracts to expand the dApp ecosystem. In addition, B² Network and Stacks further deepen the functions and application scenarios of Bitcoin.

The Lightning Network is one of the most mature and widely used solutions for Bitcoin Layer 2. By establishing payment channels, it moves a large number of small transactions from the main chain to off-chain, thereby significantly increasing the transaction speed of Bitcoin and reducing handling fees.

 Image source: https://lightning.network/lightning-network-presentation-time-2015-07-06.pdf

Liquid Network is a sidechain running on the open source Elements blockchain platform, designed for faster transactions between exchanges and institutions. It is governed by a distributed consortium of Bitcoin companies, exchanges, and other stakeholders. Liquid uses a two-way peg mechanism to convert BTC to L-BTC and vice versa.

 Image source: https://docs.liquid.net/docs/technical-overview

Since its birth in 2015, Rootstock is the longest-running Bitcoin sidechain and launched its mainnet in 2018. It is unique in that it combines Bitcoin’s Proof-of-Work (PoW) security with Ethereum’s smart contracts. As an open source, EVM-compatible Bitcoin Layer 2 solution, Rootstock provides an entry point to the growing dApp ecosystem and is committed to achieving complete trustlessness.

The technical architecture of B² Network consists of two layers: Rollup layer and data availability (DA) layer. B² Network aims to redefine how users think about Bitcoin’s second layer solutions.

Since launching on mainnet under the name Blockstack in 2018, Stacks has become the leading Bitcoin Layer 2 solution. Stacks connects directly to Bitcoin, allowing smart contracts, dApps, and NFTs to be built on Bitcoin, significantly extending Bitcoin’s functionality beyond just a store of value. It uses a unique Proof-of-Transfer (PoX) consensus mechanism that ties its security directly to Bitcoin without modifying Bitcoin itself.

 Image source: https://docs.stacks.co/stacks-101/proof-of-transfer

Babylon’s vision is to extend the security of Bitcoin to protect the decentralized world. By leveraging three aspects of Bitcoin—its timestamping service, block space, and asset value—Babylon is able to deliver Bitcoin’s security to numerous Proof-of-Stake (PoS) chains, creating a more robust, unified ecosystem .

Although these technologies bring more possibilities to the Bitcoin ecosystem, they also face challenges such as the "replacement cycle attack" of the Lightning Network, UTXO calculation errors, and PoW rollback mechanism risks.

Read the full report to get more details about the Bitcoin ecosystem

Cosmos application chain ecosystem

With Tendermint consensus, Cosmos SDK and IBC cross-chain communication as the core, it has many technological innovations in the design ideas of the blockchain Internet.

The architecture of Cosmos adopts the Hub and Zone model. The Hub (center) serves as the core node of the cross-chain, connecting and coordinating multiple Zones (independent blockchains). The innovation of this architecture is:

Decentralized management: Each Zone is an independent, autonomous blockchain and does not need to rely on a single centralized management node.

Efficient cross-chain connection: Through Hub, cross-chain communication and asset flow can be seamlessly carried out between zones, achieving true interconnection.

The report provides an in-depth analysis of the potential security risks of the Cosmos application chain from the multi-module calling sequence to cross-chain messaging. It also combines the security disputes and governance process issues of the Liquidity Staking Module (LSM) to provide warnings and inspirations for more application chain projects. .

Read the full text of the report to get more details about the Cosmos application chain ecosystem

Years of vulnerability research results

The report details nine common types of security vulnerabilities in the blockchain industry. These vulnerabilities not only run through different technical levels, but also involve multiple core components of the blockchain ecosystem, covering everything from cross-chain communication to the economy. Learn all aspects of model design.

1. L2/L1 cross-chain communication vulnerabilities: Cross-chain communication is an important means to improve the interoperability of the blockchain ecosystem, but there are also many security risks in its implementation process. For example, L2 did not consider L1's block rollback, on-chain event forgery, and L2 did not detect whether the transaction sent to L1 was successful, etc.

2. Cosmos application chain vulnerability: Cosmos, as an ecosystem centered on blockchain interoperability, allows different blockchains to be connected through IBC (inter-chain communication protocol). However, there may also be some vulnerabilities and security risks in the implementation process of the Cosmos application chain, such as BeginBlocker and EndBlocker crash vulnerabilities, incorrect use of local time, incorrect use of random numbers, and 11 other vulnerabilities and security risks.

3. Bitcoin expansion ecological loopholes: including Bitcoin script construction loopholes, loopholes caused by not considering derivative assets, UTXO amount calculation error loopholes, etc.

4. Common loopholes in programming languages ​​(such as infinite loops, infinite recursion, integer overflow, race conditions, etc.)

5. P2P network vulnerability: P2P (point-to-point) network is used for direct connection and communication between distributed nodes in the blockchain system. Although the P2P network provides a network foundation for decentralized systems, it also faces a series of common vulnerability types such as alien attack vulnerabilities, lack of trust model mechanism, and lack of node number limit mechanism.

6. DoS attacks : including memory exhaustion attacks, hard disk exhaustion attacks, kernel handle exhaustion attacks, persistent memory leaks, etc.

7. Cryptography vulnerabilities: Cryptography vulnerabilities will destroy the confidentiality and integrity of data and bring potential security threats to the system. The main types of cryptography vulnerabilities include the use of hash algorithms that have been proven to be unsafe, the use of unsafe custom hash algorithms, hash collisions caused by unsafe use, etc.

8. Ledger security vulnerabilities: (such as transaction memory pool vulnerability, block hash collision vulnerability, orphan block processing logic vulnerability, Merkle tree hash collision vulnerability, etc.)

9. Economic model loopholes: Economic models play a vital role in blockchain and distributed systems, affecting the incentive mechanism, governance structure and overall sustainability of the network. The economic models listed in the report Vulnerabilities require special attention.

Read the full report to learn more about the types of security vulnerabilities

List of common attack surfaces

The report also lists 13 common attack surfaces. Each link may become a breakthrough point for hacker attacks and deserves double attention from developers and project parties:

1. Virtual machine

2. P2P node discovery and data synchronization module

3. Block analysis module

4. Transaction analysis module

5. Consensus protocol module

6. “Please check other attack surfaces in the report”

…

Security Development Best Practices

Through rich case reviews and offensive and defensive practices, the report extracts systematic security response ideas.

In terms of security protection, this report specifically provides detailed suggestions on best practices for chain development, covering block and transaction processing, smart contract virtual machines, log systems and RPC interfaces, P2P protocol design to prevent DoS attacks, and transport layer encryption. With certification, fuzzing and static code analysis, third-party security audit process and other aspects, we strive to provide clear and feasible security guidelines for the entire life cycle of blockchain projects.

For detailed security development best practices, please download the report to view.