Безопасность и Upgradability
Top Attack Vectors на TON
Missing Bounce
No Sender Verify
Integer Overflow
Replay Attack
Gas Exhaustion
Storage Drain
Security Checklist
Access Control
Pattern: Admin + Owner verification
recv_internal(msg) {
if (op == op::admin_action) {
throw_unless(401, sender == self.admin);
// ... admin only logic
}
if (op == op::owner_action) {
throw_unless(401, sender == self.owner);
// ... owner only logic
}
if (op == op::internal_transfer) {
// Verify sender is legitimate child contract
let expected = calc_child_address(claimed_owner);
throw_unless(401, sender == expected);
// ... verified child logic
}
}Overflow Protection
// Always check before arithmetic
throw_if(ERR_OVERFLOW, balance + amount < balance); // overflow check
throw_if(ERR_UNDERFLOW, balance < amount); // underflow check
balance += amount; // safe after checksUpgradability Patterns
Pattern 1: Proxy (не рекомендуется на TON)
Proxy pattern (Ethereum-style):
Proxy contract → delegates to Implementation
Upgrade: change implementation address
[NO] На TON: не нативный, сложный, gas overheadPattern 2: Code Migration (рекомендуется)
Code Migration pattern:
Admin отправляет новый code → контракт вызывает set_code()
recv_internal(msg) {
if (op == op::upgrade_code && sender == admin) {
set_code(msg.new_code);
// Опционально: migrate data
set_data(migrate_data(get_data(), msg.migration_params));
}
}
[OK] Нативный для TON (TVM поддерживает set_code)
[OK] Простой
[WARN] Admin has full control → trust assumptionPattern 3: Timelock + Governance
Upgrade with timelock:
1. Admin proposes upgrade (new code + effective_date)
2. Timelock period (48 hours) → users can exit if disagree
3. After timelock → admin executes upgrade
4. Emergency: shorter timelock for critical fixes
On-chain governance:
1. Token holders vote on upgrade proposal
2. Quorum + majority → approve
3. Timelock → executeAudit Preparation
What to audit
| Priority | Check | Impact |
|---|---|---|
| Critical | Sender verification | Fund theft |
| Critical | Bounce handlers complete | Lost funds |
| Critical | Overflow/underflow | Balance manipulation |
| High | Gas forwarding sufficient | Failed operations |
| High | Storage bounded | Contract freeze |
| High | Admin access scoped | Unauthorized actions |
| Medium | Replay protection | Double processing |
| Medium | Edge cases (0 amounts, self-transfer) | Unexpected behavior |
Системные принципы безопасности удобно сверять с конкретным каталогом TON-уязвимостей: bounced messages, gas management, integer pitfalls, async race conditions, аудит-чеклист. Подробный разбор каждого класса — в курсе по TON.
TON security: bounced messages