This report focuses on four major directions: Move, TON, Bitcoin expansion, and Cosmos application chains, providing a detailed interpretation from three aspects: technological innovation, security challenges, and historical security incidents.
The report focuses on four major directions: Move, TON, Bitcoin expansion, and Cosmos application chains, providing a detailed interpretation from three aspects: technological innovation, security challenges, and historical security incidents, offering some experiences and thoughts for investors, developers, and white-hat hackers:
Move Ecosystem (Aptos, Sui, etc.)
The report introduces how the Move language innovates smart contract programming in resource management, modular design, and built-in security mechanisms, and provides an in-depth analysis of the innovations and security architecture of Aptos and Sui.
The Move language was originally developed by Facebook (now Meta) for the Diem (Libra) project, aiming to address the performance and security bottlenecks of traditional smart contract languages. The design of Move emphasizes the clarity and security of resources, ensuring the controllability of every state change on the blockchain. This innovative programming language has the following significant advantages:
Resource Management Model: Move treats assets as resources, making them non-replicable or destructible. This unique resource management model avoids common issues in smart contracts, such as double spending or accidental asset destruction.
Modular Design: Move allows smart contracts to be constructed in a modular way, improving code reusability and reducing development complexity.
High Security: Move has a large number of built-in security checks at the language level to prevent common security vulnerabilities, such as reentrancy attacks.
Additionally, the report reviews typical security incidents that occurred with the Move virtual machine and Aptos network from 2023 to the end of 2024, reminding the community to be vigilant about potential infinite recursion DoS vulnerabilities, memory pool eviction mechanism flaws, and other issues.
For a detailed review of Move ecosystem security incidents, please download the report for reading
TON Ecosystem
TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aimed at building a fast, secure, and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology with Telegram's communication features, TON achieves high performance, high security, and high scalability. It supports developers in building various decentralized applications and provides distributed storage solutions. Compared to traditional blockchain platforms, TON has faster processing speeds and throughput, and employs a Proof-of-Stake consensus mechanism.
TON uses a Proof-of-Stake consensus mechanism and achieves high performance and multifunctionality through its Turing-complete smart contracts and asynchronous blockchain. The lightning-fast and low-cost transactions of TON are supported by the chain's flexible and sharded architecture. This architecture allows for easy scaling without sacrificing performance. Dynamic sharding involves initially developed separate shards with their own purposes, which can run simultaneously and prevent large-scale congestion. The block time for TON is 5 seconds, with finalization time of less than 6 seconds.
The existing infrastructure is divided into two main parts:
● Masterchain: Responsible for processing all important and critical data of the protocol, including the addresses of validators and the amount of coins validated.
● Workchain: Secondary chains connected to the masterchain, containing all transaction information and various smart contracts, with each workchain potentially having different rules.
The TON Foundation is a DAO operated by the core TON community, providing various support for projects within the TON ecosystem, including developer support and liquidity incentive programs. The report details the significant progress made by the TON community in multiple areas in 2024, while also revealing a recent vulnerability where malicious contracts can lead to resource exhaustion in the virtual machine through nested structures, warning all parties to continuously strengthen contract security audits.
For more detailed content on the TON ecosystem, please download the report for viewing
Bitcoin Expansion Ecosystem
Layer 2 and sidechain solutions, including the Lightning Network, Liquid Network, Rootstock (RSK), B² Network, and Stacks, are driving breakthroughs in Bitcoin's transaction scalability and programmability. The Lightning Network enhances transaction efficiency, Liquid Network accelerates inter-institutional transactions, while Rootstock combines security with smart contracts to expand the dApp ecosystem. Additionally, B² Network and Stacks further deepen Bitcoin's functionality and application scenarios.
The Lightning Network is one of the most mature and widely used Layer 2 solutions for Bitcoin. It significantly increases Bitcoin's transaction speed and reduces fees by establishing payment channels that move a large number of small transactions off the main chain.
Image source: https://lightning.network/lightning-network-presentation-time-2015-07-06.pdf
Liquid Network is a sidechain running on the open-source Elements blockchain platform, designed for faster transactions between exchanges and institutions. It is governed by a distributed alliance composed of Bitcoin companies, exchanges, and other stakeholders. Liquid uses a two-way peg mechanism to convert BTC to L-BTC and vice versa.
Image source: https://docs.liquid.net/docs/technical-overview
Rootstock has been the longest-running Bitcoin sidechain since its inception in 2015, launching its mainnet in 2018. Its uniqueness lies in combining Bitcoin's Proof-of-Work (PoW) security with Ethereum's smart contracts. As an open-source, EVM-compatible Bitcoin Layer 2 solution, Rootstock provides an entry point for the growing dApp ecosystem and aims for complete trustlessness.
The technical architecture of B² Network includes a two-layer structure: Rollup layer and Data Availability (DA) layer. B² Network aims to redefine user perceptions of Bitcoin's second-layer solutions.
Since its launch on the mainnet in 2018 under the name Blockstack, Stacks has become a leading Bitcoin Layer 2 solution. Stacks connects directly to Bitcoin, allowing for the construction of smart contracts, dApps, and NFTs on Bitcoin, significantly expanding Bitcoin's functionality beyond just a value storage tool. It employs a unique Proof of Transfer (PoX) consensus mechanism that ties its security directly to Bitcoin without modifying Bitcoin itself.
Image source: https://docs.stacks.co/stacks-101/proof-of-transfer
Babylon's vision is to extend Bitcoin's security to protect the decentralized world. By leveraging three aspects of Bitcoin — its timestamp service, block space, and asset value — Babylon can transfer Bitcoin's security to numerous Proof-of-Stake (PoS) chains, creating a more robust and unified ecosystem.
While these technologies bring more possibilities to the Bitcoin ecosystem, they also face challenges such as the Lightning Network's "substitute loop attack," UTXO calculation errors, and PoW rollback mechanism risks.
Read the full report for more detailed content on the Bitcoin ecosystem
Cosmos Application Chain Ecosystem
With Tendermint consensus, Cosmos SDK, and IBC cross-chain communication at its core, it features multiple technological innovations in the design concept of the blockchain internet.
The architecture of Cosmos adopts a Hub and Zone model, where the Hub serves as the core node for cross-chain connectivity, connecting and coordinating multiple Zones (independent blockchains). The innovation of this architecture lies in:
Decentralized Management: Each Zone is an independent, autonomous blockchain that does not rely on a single centralized management node.
Efficient Cross-Chain Connectivity: Through the Hub, seamless cross-chain communication and asset flow can occur between Zones, achieving true interoperability.
The report deeply analyzes potential security risks in the Cosmos application chain, from multi-module call sequences to cross-chain message passing, and combines the security controversies and governance process issues of the Liquid Staking Module (LSM) to provide warnings and insights for more application chain projects.
Read the full report for more detailed content on the Cosmos application chain ecosystem
Years of Vulnerability Research Results
The report details the nine major types of security vulnerabilities commonly found in the blockchain industry. These vulnerabilities span different technical layers and involve core components of multiple blockchain ecosystems, covering all aspects from cross-chain communication to economic model design.
L2/L1 Cross-Chain Communication Vulnerabilities: Cross-chain communication is an important means to enhance the interoperability of blockchain ecosystems, but there are many security risks in its implementation. For example, L2 may not consider L1 block rollbacks, on-chain event forgery, and whether transactions sent to L1 are successful.
Cosmos Application Chain Vulnerabilities: As an ecosystem centered on blockchain interoperability, Cosmos allows different blockchains to connect through IBC (Inter-Blockchain Communication protocol). However, there may be some vulnerabilities and security risks in the implementation of Cosmos application chains, such as BeginBlocker and EndBlocker crash vulnerabilities, incorrect use of local time, incorrect use of random numbers, and other vulnerabilities and security risks.
Bitcoin Expansion Ecosystem Vulnerabilities: Including Bitcoin script construction vulnerabilities, vulnerabilities caused by unconsidered derivative assets, UTXO amount calculation errors, etc.
Common Programming Language Vulnerabilities (such as infinite loops, infinite recursion, integer overflow, race conditions, etc.)
P2P Network Vulnerabilities: P2P (peer-to-peer) networks are used for direct connections and communication between distributed nodes in blockchain systems. Although P2P networks provide the network foundation for decentralized systems, they also face a series of common vulnerability types such as polymorphic attack vulnerabilities, lack of trust model mechanisms, and lack of node quantity limitation mechanisms.
DoS Attacks: Including memory exhaustion attacks, disk exhaustion attacks, kernel handle exhaustion attacks, persistent memory leaks, etc.
Cryptographic Vulnerabilities: Cryptographic vulnerabilities can compromise the confidentiality and integrity of data, posing potential security threats to the system. Major types of cryptographic vulnerabilities include using hash algorithms that have been proven to be insecure, using unsafe custom hash algorithms, and hash collisions caused by unsafe usage.
Ledger Security Vulnerabilities: (such as transaction memory pool vulnerabilities, block hash collision vulnerabilities, orphan block processing logic vulnerabilities, Merkle tree hash collision vulnerabilities, etc.)
Economic Model Vulnerabilities: Economic models play a crucial role in blockchain and distributed systems, affecting the network's incentive mechanisms, governance structures, and overall sustainability. The economic model vulnerabilities listed in the report require special attention.
Read the full report to understand the detailed content about security vulnerability types
Common Attack Surface List
The report also lists 13 common attack surfaces, each of which could become a breakthrough point for hackers, warranting extra attention from developers and project teams:
Virtual Machine
P2P Node Discovery and Data Synchronization Module
Block Parsing Module
Transaction Parsing Module
Consensus Protocol Module
…
Best Practices for Secure Development
Through rich case reviews and offensive and defensive practices, the report distills a systematic approach to security response.
In terms of security protection, this report provides detailed recommendations on best practices for chain development, covering aspects such as block and transaction processing, smart contract virtual machines, logging systems and RPC interfaces, P2P protocol design to prevent DoS attacks, encryption and authentication at the transport layer, fuzzing and static code analysis, and third-party security audit processes, aiming to provide clear and feasible security guidance for the entire lifecycle of blockchain projects.
Background of the Report:
At the beginning of 2025, reflecting on the past year, blockchain technology has continued to iterate rapidly on a global scale: from transaction processing performance to cross-chain interaction, and to smart contract languages and node expansion solutions, the entire industry is entering a more diverse and complex new stage. Meanwhile, various emerging public chains have rapidly risen, leading the technological trends and ecological prosperity of the Web3 world with flexible network architectures, innovative programming models, and a rich variety of application scenarios.
However, security risks continue to emerge, and once an attack or vulnerability exploitation occurs, it can lead not only to asset losses on the chain but also potentially cause network paralysis, jeopardizing the stability of the entire blockchain ecosystem. Therefore, the globally leading security organization focused on safeguarding and building the emerging Web3 ecosystem, BitsLab, has released the “2024 Emerging Ecological Public Chain Panorama Observation and Security Research Report” to help industry stakeholders accurately predict risks and formulate effective protection strategies.
Company Introduction
BitsLab has long focused on security in the blockchain and Web3 industry, accumulating rich auditing experience and technical expertise. From the Move ecosystem, TON network, to the Bitcoin expansion field and Cosmos application chain ecosystem, BitsLab has provided security auditing and infrastructure support for numerous blockchain projects. The report released this time is both a result of BitsLab's continuous research and practical accumulation and a professional guide for the entire industry: it is hoped that more project teams, investment institutions, researchers, and community members will read this report and steadily move forward in the rapidly iterating technological wave, allowing the decentralized world to achieve healthy and sustainable development based on security.
The “2024 Emerging Ecological Public Chain Panorama Observation and Security Research Report” is now officially online. Interested friends are welcome to obtain the complete version of the report through the official BitsLab website and partner platforms, gaining deep insights into the forefront of blockchain security dynamics, and joining BitsLab in building a solid defense for emerging public chains. Let us together welcome a broader development prospect for the Web3 world and support the decentralized ecosystem towards a more prosperous and robust future!
Click to read and download the bilingual report
About BitsLab
BitsLab is a security organization dedicated to safeguarding and building the emerging Web3 ecosystem, with a vision to become a respected Web3 security institution in the industry and among users. It has three sub-brands: MoveBit, ScaleBit, and TonBit.
BitsLab focuses on infrastructure development and security auditing for emerging ecosystems, covering but not limited to Sui, Aptos, TON, Linea, BNB Chain, Soneium, Starknet, Movement, Monad, Internet Computer, and Solana ecosystems. At the same time, BitsLab has demonstrated profound professional capabilities in auditing various programming languages, including Circom, Halo2, Move, Cairo, Tact, FunC, Vyper, Rust, and Solidity.
The BitsLab team brings together several top vulnerability research experts who have won international CTF awards multiple times and have discovered critical vulnerabilities in well-known projects such as TON, Aptos, Sui, Nervos, OKX, and Cosmos.
Visit the official BitsLab website: https://bitslab.xyz/
Visit the official X accounts of BitsLab and its sub-brands:
BitsLab: https://x.com/0xbitslab
MoveBit: https://x.com/MoveBit_
ScaleBit: https://x.com/scalebit_
TonBit: https://x.com/tonbit_
Join the official BitsLab Telegram community: https://t.me/BitsLabHQ
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
