Enhancing The Open Network: Definition and Automated Detection of Smart Contract Defects
Hao Song, Teng Li, Jiachi Chen, Ting Chen, Beibei Li, Zhangyan Lin, Yi Lu, Pan Li, Xihan Zhou
TL;DR
This work addresses the lack of defect definitions and tooling for TON smart contracts written in FunC by deriving eight defects from official blogs and audit reports. It introduces TONScanner, a modular static-analysis framework that converts FunC to an SSA-form IR via a DAG, then builds a CFG, constructs a call graph and data-dependency models, and applies eight dedicated detectors to identify the defects. Evaluation on 1,640 contracts (922 FunC and 718 Tact) reveals 14,995 defects, with an overall precision of 97.49% across manually labeled samples, indicating prevalent defects and the effectiveness of the approach. The framework is designed to be extensible, scalable, and capable of accommodating new TON-specific defects, ultimately aiding developers in producing secure TON smart contracts and enabling broader adoption of TON-based DApps.
Abstract
The Open Network (TON), designed to support Telegram's extensive user base of hundreds of millions, has garnered considerable attention since its launch in 2022. FunC is the most popular programming language for writing smart contracts on TON. It is distinguished by a unique syntax compared to other smart contract languages. Despite growing interest, research on the practical defects of TON smart contracts is still in its early stages. In this paper, we summarize eight smart contract defects identified from TON's official blogs and audit reports, each with detailed definitions and code examples. Furthermore, we propose a static analysis framework called TONScanner to facilitate the detection of these defects. Specifically, TONScanner reuses FunC compiler's frontend code to transform the FunC source code into FunC intermediate representation (IR) in the form of a directed acyclic graph (DAG). Based on this IR, TONScanner constructs a control flow graph (CFG), then transforms it into a static single assignment (SSA) form to simplify further analysis. TONScanner also integrates Data Dependency, Call Graph, Taint Analysis, and Cell Construct, which are specifically tailored for TON blockchain's unique data structures. These components finally facilitate the identification of the eight defects. We evaluate the effectiveness of TONScanner by applying it to 1,640 smart contracts and find a total of 14,995 defects. Through random sampling and manual labeling, we find that TONScanner achieves an overall precision of 97.49%. The results reveal that current TON contracts contain numerous defects, indicating that developers are prone to making errors. TONScanner has proven its ability to accurately identify these defects, thereby aiding in their correction.