Original source: Beosin
The continued popularity of Friend.tech has once again made the market pay attention to the SocialFi track. At present, Friend.tech competing products from various chains are emerging one after another. Linea chains TOMO and NOS chains New Bitcoin City relied on their own innovations to achieve TVL of more than 1 million US dollars in a short period of time, becoming newcomers on the SocialFi track.
When such SocialFi projects are developing in full swing, the related security risks have received widespread attention from the community. end of augustFriend.tech privacy leak due to API access design; On October 7, there was a reentrancy vulnerability in Stars Arena on the Avalanche chain. The hacker re-entered and called the 0x 563 2b 2 e 4 function in its contract, causing the final calculated result of the sellShares function to be abnormally large, and the protocol lost approximately US$2.9 million.
Previously, BeosinFriend.tech’s design mechanism and potential security risksanalyzed in detail. Today, the Beosin security team will analyze the emerging projects TOMO and New Bitcoin City to help you understand the potential risks involved.
Introduction to TOMO
TOMO is a Friend.tech competitor to Lineas second-tier network. It launches the Vote mechanism based on Friend.tech. Vote is the voucher for Twitter users before they register in TOMO. Other users can directly trade the Vote of unregistered users. After the user registers, the corresponding Vote will be converted into Key.
The introduction of Vote has avoided the proliferation of front-running bots to a certain extent, eliminating the need to monitor Twitter users and spam transactions. At the same time, 5% of the income from trading Vote will be distributed to the Twitter user corresponding to the Vote. The user can receive the income as long as he registers for TOMO. This provides financial incentives for Twitter users to enter TOMO.
TOMO risk analysis
Beosin has previously completed theAudit of Tifo.trade, the largest derivatives exchange on the Linea public chain. This time we passedBeosin VaaSThe tool scanned the TOMO business contract, combined with the analysis of Beosin security audit experts, and found that TOMO has the following risks:
1.Business risks
TOMOs business contract has been open sourced. Looking at its contract code, you can find that its basic pricing model is similar to that of Friend.tech. If S is the current holding, TOMOs Key price model is S^ 2/43370, while Friend.techs price model is S^ 2/16000. This makes TOMOs Key price rise more slowly, attracting more users to participate in transactions to a certain extent.
But the essence has not changed. Since the larger the total number of Keys, the higher the buying and selling prices, early users may purchase a large number of Keys, and later users may suffer losses on their equity purchases. Please be aware of risks when participating in investments.
TOMO’s pricing model
Friend.tech’s pricing model
2. Centralization risk
Similar to the risk of Friend.tech, the centralization risk of TOMO cannot be ignored. The owner of the contract can adjust the handling rate without limit, thereby charging high handling fees. He can even set a handling fee of 100% so that users cannot receive the money they sell, or he can set a handling rate exceeding 100% to suspend buying. Enter and sell functions.
source: https://lineascan.build/address/0x9e813d7661d7b56cbcd3f73e958039b208925ef8
3. Private key risk (ERC-4337 wallet)
According to the information displayed by TOMO, the wallet generated by TOMO after user registration is an ERC-4337 wallet (account abstract wallet). The community has raised questions about the asset security of such wallets.
First of all, Friend.tech and most competing products such as Stars Arena use EOA wallets, which are ordinary externally owned wallets. The EOA wallet needs to sign each transaction initiated with a private key, which is relatively troublesome to use interactively. At the same time, it is difficult for users to store private keys securely. Previously,$28 million was stolen from the Deribit hot wallet, and Beosin shared in detail how to ensure the security of the wallet.
In order to solve the above problems, the ERC-4337 proposal implements account abstraction by introducing a transaction object called UserOperation. Users can use a single wallet account (account abstract wallet) with both smart contract and EOA functions. Different users send UserOperation objects to the UserOperation memory pool. The transaction is packaged by Bundler and submitted to the Ethereum memory pool. The packaged transaction will be verified by the Entry Point contract, and then the specific Wallet contract will be called to perform specific operations and then uploaded to the chain. The process is shown in the figure below:
source: https://eips.ethereum.org/EIPS/eip-4337
Through the ERC-4337 workflow, we can know that the account abstract wallet has the following potential risk points:
(1) Contract risk
The Entry Point contract and Wallet contract need to be implemented by the project party. Currently, TOMO does not open source the relevant contracts. The Entry Point contract is responsible for verifying the legality of transactions submitted by Bundler and calling specific Wallet contracts based on the transactions. If there are business logic vulnerabilities in the Entry Point contract and Wallet contract, hackers can attack by constructing specific transactions.
(2) Risks related to private keys
Under the ERC-4337 scheme, if the user forgets the private key, there may be other solutions to restore the wallet (based on the projects scheme design). However, theft/leakage of the private key to others may also cause the users asset loss. On October 18, TOMO opened the function of exporting wallet private keys. Users need to export the private keys and prevent the private keys from being stolen.
Introduction to New Bitcoin City
New Bitcoin City (or Alpha) is a social application similar to Friend.tech based on the Bitcoin second-layer network NOS. It supports web and mobile terminals. Users can trade New Bitcoin City and Friend.tech Keys in New Bitcoin City. Previously, the New Bitcoin City team also launched the GameFi project Mega Whales and the DeFi project New Bitcoin DEX.
link: https://pro.newbitcoincity.com/
New Bitcoin City Risk Analysis
1.Business risks
New Bitcoin City also uses a pricing model similar to Friend.tech. The PRICE_KEYS_DENOMINATOR in the code is 264000 and the NUMBER_UNIT_PER_ONE_ETHER is 10. Compared to TOMO, the price increases more slowly.
2. Cyber risks
In addition to having the same centralization risk as TOMO, according to the New Bitcoin City team, NOS uses Trustless Computer Layer 2 technology to run its contracts. Trustless Computer is also developed by the New Bitcoin City team. The execution layer is developed based on OP Stack and is compatible with Ethereum, and completes data verification on the Bitcoin network.
source: https://docs.trustless.computer/blockchain-architecture/rollups-on-bitcoin
Currently, only the social application of New Bitcoin City is active on the network, and the stability and security of the network have not been tested.
3. Private key management
New Bitcoin City is similar to Friend.tech in that users generate an EOA wallet after authorizing the application with Twitter for the first time. However, the wallet generation is completed in the New Bitcoin City backend, and its private key generation and storage process is still unknown.
Summarize
Friend.techs competing products have been improved and innovated on the basis of Friend.tech. The core pricing model remains basically unchanged, and improvements have been made in user interaction, but it fails to solve the storage problem of user wallet private keys well. The centralization risk of the contract is obvious, and users need to conduct project research when interacting.
IOS
Android