By Norah ODonnell
As the TON blockchain is open-source and permissionless, projects and individual users need to be careful to guarantee their safety.
The Open Network (TON), a blockchain platform that is based on Telegram, has recorded massive growth in 2024. The number of onchain-activated wallets increased from about one million in January to more than nine million in June.
Nevertheless, TON’s huge inflow of new users was not ignored by the scammers. In June 2024, blockchain security company SlowMist warned about increased phishing attacks on the TON ecosystem.
As the TON Foundation mainly expects to attract over 500 million users by 2028, it raises the question of how to properly protect users from all attacks without hindering accelerated adoption.
Telegram Is Not Responsible For The Safety Of Mini-Apps
While identifying the risks within the TON network, one needs to realize that Telegram is not responsible for the safety of TON mini-apps.
The number of mini-apps on Telegram, including Notcoin and Hamster Kombat, has been surging massively in the last several months. Nonetheless, not all of those apps adhere to the best practices of security to guarantee the safety of funds by their users, according to Stepan Chekhovskoi, lead smart contract auditor at Hacken.
He insisted that it is not Telegram’s fault and added that users’ safety on mini-apps lies on founders and project teams. He also commented:
“However, Telegram has to take care of the security of the platform itself and to ensure its functionality enables users to seamlessly secure its accounts; it has little to nothing to do with the security of a mini-app developed by a third party.”
A spokesperson from the TON Foundation confirmed that users and projects are mainly responsible for their safety, mentioning:
“As TON blockchain is open-source and permissionless, individual users and projects must be careful to ensure their safety and security when undertaking network activity.”
TON Foundation ‘Impressed’ With Security Measures By Many Mini-Apps
The TON Foundation mainly encourages security measures that are adopted by the mini-apps on TON. A TON representative told reporters:
“We have been impressed with the actions of many projects as they look to protect their users.”
For instance, Tonkeeper, one of the most popular TON wallets, enabled users to mark whether a non-fungible token (NFT) they have been sent is legitimate.
The spokesperson also mentioned the importance of an active and engaged community as one of the best safeguards against criminals. The representative added:
“Users should always be careful when transacting onchain. Please remember that any onchain transaction is irreversible. We strongly advise our users not to click on suspicious links, and double-check every detail before signing any onchain transaction.”
Self-Custodial And Custodial Mini-Apps On Telegram
Based on Hacken’s Chekhovskoi, Telegram mini-apps are not different from apps hosted on other platforms considering the security perspective. On that note, one must apply the same web and crypto security measures to these apps.
Based on Chekhovskoi, Telegram’s mini-apps have two ways of managing user private keys, which may be compared to custodial and non-custodial wallets in cryptocurrency. The expert highlighted:
“Most Telegram mini apps are custodial, so like any other provider of a custodial wallet, they must properly identify their users using additional passwords, 2FA mechanisms, and others.”
For the self-custodial apps, users must guarantee strong encryption for private key storage. Chekhovskoi noted:
“If the application doesn’t require an eight-symbol-character password, including numbers and special symbols, or at least a fingerprint, it means the private key is not securely encrypted.”
Users must also vary the risks linked with automated log-in on all devices. In case the automated log is enabled, anyone who gains access to the user’s device by default has access to their mini apps.
Non-Technical Threats On TON Ecosystem
The TON ecosystem’s decentralized nature and ease of use mostly attract scammers, and there is no silver bullet to protect users, according to Hacken.
To avoid non-technical scams on TON, people must be cautious when interacting with non-official apps and those launched by lesser-known developers. Based on Steve Milton, the co-founder and CEO of the crypto wallet Fintopio, one way to avoid possible phishing attacks is to check whether mini-apps have any verification mark.
Telegram offers authentication for public figures and organizations so that users can readily identify official sources. The Telegram team verifies bots, and official channels or public groups.
Milton commented:
“Projects that have undergone this rigorous process, such as Fintopio, have demonstrated a commitment to transparency and reliability.”
Hacken’s Chekhovskoi also cautioned against get-rich-quick schemes advertised on Telegram, insisting that free cheese is just found in a mousetrap. He said:
“Always remain skeptical of free money offerings. If you embrace a suspicious opportunity, it is better not to risk your main crypto wallet and create a new account for this purpose.”
For more information on how to stay safe on TON and Telegram, follow relevant guidance from the TON Foundation.