September 18, 2022

Updates on the "Open Source" Bug Finding Contest

This blog post will be updated so please come back to see updates in coming days and/or weeks as the "Open Source" bug finding contest proceeds

Why I'm not participating in the "TON Bug Contest"

Note: I've thus far only looked at the reported bugs for Tonhub. As the project I advise and test for is TonSafe and this was falsely accused of being a "carbon copy of Tonhub" by some young fools*, I thought it would be more interesting first to test for bugs reported on Tonhub and see if they're also present in TonSafe. I'll look at Tonkeeper later on, after TonSafe is accused of being a "carbon copy of Tonkeeper" which with TonSafe's next version 1.4 is actually a high likelihood!

*) One of the luxuries of "old age" is getting to call young fools, young fools. It doesn't mean, of course, that I was once a young fool myself, but it's nice to be able to say it.

Tonhub Bugs vs TonSafe Bugs

Firstly, an important note: even though I have tested for these bugs, it doesn't mean that you won't find them on a different device, system etc, so please test away too!

Secondly, it may be instructive to link to the post where TonSafe was accused of being a carbon copy of Tonhub and my reply which shot down the foolish young editor of "The Daily TON" news service — which is just a conspiracy non-independent news service as agreed with TON Foundation's unaccountable, opaque, censorship and favoritism-ridden incestual "TON Community" channel: my comparison is here.

(That young fool* is winner of another badly organized "Ton Community Contest", for a "Ton Community Manager" but afterwards they decided instead to set up a news site that would look independent, and basically be a false-flag operation.)

Thirdly, although this is my personal blog with my own free thoughts and character, I have no objection to TonSafe making use of it if they wish to do so.

1. Bug: sending long message in TX

  • Tonhub: bug reports impossibility to make payment if comment too long
  • TonSafe: no issue, super long messages over 23kb are cut short but you can still use it to send a book chapter at a time***

Result: Another point number 18 of major differences between TonSafe and Tonhub.

***HOWEVER: This live test cost me TON 0.42 in blockchain FEES it was that long what TonSafe could handle, and it crashed tonscan.org and ton.page explorers!

2. Security: no user ID check when starting app, nor on logging out

Obviously this is a big one! You'd expect a wallet which may contain access to huge amounts of money to be at least optionally protected each time you start it, right? And, to prevent any unauthorized person logging you out, with potential consequences if you don't have your 24 secret words to hand, right? Right...

  • Tonhub: no such security
  • TonSafe: default authentication at each start (can be optionally disabled in settings if you are comfortable you're the only one with access to your device), and 4 steps to log out.

But: I'll open a ticket with TonSafe to add additional biometric confirmation on top!

Result: Another point number 19 of major differences between TonSafe and Tonhub.

3. Users can take screen shots of 24 secret words

  • Tonhub: no prevention
  • TonSafe: no prevention

This is actually on the roadmap for TonSafe since some time already. It will no doubt be met with a lot of hostility from developers and the more "technically able", since so many of them take screen shots of their 24 secret words. But TonSafe is planning to do it anyway, reason being that it is a policy of TonSafe not to worry about user numbers (as this will lose many users at sign up) but more to worry about user safety. "But let the user decide!" I hear you scream. No. If you want to commit suicide, do it over at some other wallet. As it will eventually get a bad name "I lost my TON using TonSafe!"

  • Screen shots can be sent by mistake (I know, I got someone's 24 secret words sent to me, I told him his wallet account is now useless).
  • Screen shots are easily misplaced, forgotten where, which device, deleted, and phones are lost etc.
  • Text copying is just as bad - something the joker wallet "PenisTon" which renamed themselves to "Juston" have done.

So it is a good and valid report, let us see if this person gets awarded any prize money from the organizers. He or she should.

4. QR Scanner doesn't open in Android

As it is not clear this non-security issue may not affect some devices, so I'm not able to make this comparison properly. I'll note it here for possible future further testing.

5. Tonhub: transferring Old Coins Doesn't Work Correctly

The bug submitter did not test properly and concluded this is not a bug. Actually he or she did not test all the old addresses. One of the old addresses (by memory I think it is the very oldest) won't transfer coins at all. This could be fixed by removing it (since no one would be using such very old address going back years, surely?) or fixing it (if it can be fixed, perhaps it was a programming error and skipped in the code.

As this is a feature of TonSafe also and which may have used some part of Tonhub open source code, I've raised a ticket for that to be checked and investigated.

My Comments on the Contest overall thus far

Admittedly I've not got enough time and/or it is not a big enough priority for me to investigate and follow ALL of the contest developments and bug reports for various projects. For now I'm just following the Tonhub reports and will try to look at Tonkeeper later. So I make some general comments:

  • Competition is good for the end-user
  • Open source does not equate with security
  • Closed source does not equate with lack of security
  • There are pluses and minuses from security stand point of open/closed source
  • Competition was thrown together in a rush, within a week of internal "planning"
  • Community as usual had no input or feedback on ideas and structure
  • Nevertheless, in this case, probably the contest is better than nothing
  • The contest benefits primarily Tonkeeper above all others
  • Tonkeeper went open source only 20 minutes ahead of the deadline
  • Others did not have any time to evaluate the pros and cons of participation
  • TonSafe can benefit from a checking of all bugs reported on other wallets
  • TonSafe always takes any UI reports of issues from users seriously
  • At least one security bug I know of in Tonkeeper: I doubt the contest will find it**

** As promised earlier, I'll certainly check the next Tonkeeper update and report whether they fixed the issue or not. But, more importantly, why don't I report it???

Why I'm not reporting specific security bugs in other applications

  1. I volunteered my time for free without any expectations other than to improve woefully inadequate Tonhub and Tonkeeper wallets (back then in March, they were woefully inadequate, since then most major issues have been improved).
  2. My offers were rudely rejected, and yet, everything I reported back then was eventually fixed. No acknowledgment or thanks, just arrogance and rudeness. Attitude that "if there really was such a bug, you'd have gone for the bug bounty.
  3. As if everyone would have known there was a bug bounty hidden away. I applied for it, it goes to the personal email of the head developer and not some corporate oversight, is not acknowledged, and you don't receive any part of the bounty.
  4. Another attitude I received from the same wallet dicator-in-chief-K (DICK): "it's open source, no customer service needed". Hence they provide customer service contacts ONLY so that they can get into the app stores, but provide none at all.
  5. I therefore resolved to find a powerful team that has super qualifications and could produce the most safe and secure TON wallet. Result is TonSafe.
  6. If I report such things publicly about other wallets vulnerabilities (e.g. Hueton aka Juston has terrible issues and is certainly using the public as testers with their live funds, BASED wrote on the benefits of Tonkeeper doing so), then this would allow bad actors to take advantage in creating chances for dangerous UI/UX flow.
  7. The TON "Open Network" is anything but an open network in practice, as far as publicity, promotion, participation, level playing field, favoritism, policy contradictions, accountability and so on, unwelcoming and discouraging for new projects.

Selfishness and "what benefit is there to me" are the standard defaults for most people these days with sociopathy on the exponential rise. When AI robots are able to laugh and mimic human behavior, we have nothing new: we've just re-created sociopaths in a non-biological form.

It is this reality of the human condition that the unscrupulous can take advantage of, effectively stealing millions of TON from what they call "hamsters" and without any recourse: since each cares only about their own loss, not the collective. And without that collective response the thousands of individuals will be ignored.

If you want to get involved in discussions around those issues, I recommend joining the open public "TON Revolution" group at https://t.me/TONrevo

Updates: September 20

Comments: the contest is really a disappointment. In what sense? Let me tell you.

Tonhub is THE Open Source wallet on TON. This is to its great credit, no doubt. So, you'd expect more participation from all the "million followers" of TON Community, TON Foundation, which promoted this contest. Hardly anyone has participated, or, maybe many have but hardly anyone has found any issues.

The first and only report in the contest (for Tonhub) since weekend: SPAM Filter Does Not Work. Indeed, and it is much, much worse. I've tested sending 200 or was it 2000 TON, and it was marked as spam, for a setting of less than 0.1 TON. And so on and so forth. Simply, Tonhub team don't use their own wallet, if they did, presumably it would not always have so many new features introduced that obviously don't work.

It's also another reason I'm not participating, in addition to all those reasons mentioned earlier, and maybe it is an opportune time to explain that additional reasoning:

  • Yes I could definitely do with a slice of $50,000
  • I think I'd have provided more bugs than most others
  • I have no confidence in the TON "Ecosystem" in this respect
  • I provided extensive report for a bug bounty (Whales) before and no response
  • I would rather never know if I'd got any funds than be angry at getting none
  • Example: I was offered 1 BTC back then at $7 I did not take it, no regrets
  • Had I taken it: I'd have lost my passwords, or sold it at $70, not $60,000
  • Had I taken it: I'd have regretted, not taking it was my decision: no regrets

I wish I could find time to look at submitted reports for other participating projects.

There are so many issues with Tonkeeper, as I mentioned before, but I'll just bet on one of the most obvious ones, and one of the most obscure ones, and see if anyone reported on those two issues at opposite ends of the scale. Let's see later.

I do not know of ANY Wallet with the exception of the Toncoin Wallet (perhaps wrapped for app stores by Tonkeeper, but produced by some top guys at TON Foundation, core developers) that is not full of bugs, and should not reach production and mass distribution without adequate testing and QA.

It's all good: without Tonkeeper and Tonhub there'd be no TonSafe - So long as users are happy to fill the role as lab rats and unpaid testers. What really gets me riled is that those teams have really considerable financial resources to pay their developers.

TonSafe does such a better job with far less resources. I'd like to think Ton Foundation would realize the importance of having AT LEAST ONE OTHER stable, strong, safe wallet, and do something to support the project.

6. Unable to Paste 24 Secret Words into Tonhub

Kudos to public tester Julia for trying hard and finding issues, however, this is not a bug in my view, from a security standpoint. Users should ideally be prevented from copy/pasting of passwords for a number of security reasons, not limited to, but including that a copy/paste can often go into the wrong app etc. Therefore, having an unexpected result when trying to do so, isn't a real bug as such, it's a "feature".

7. Tonhub Staking Bug Reports

I make no comment on these, other than I'd expect there to be lots of bugs in there. No comment because it isn't a feature TonSafe, which I'm lead tester for, would want to include and there are too many past issues around Whales lack of customer service and bad treatment of "miners" for me personally to trust Whales with my money.

8. Tonhub: Confirmed Address Differs From Sent Address

Crazy as this sounds, there are multiple reports of the sending address being displayed with extra characters on the Tonhub confirmation screen. Who would trust to send TON to an address that comes out different on the confirmation screen? TonSafe does not suffer this bug. Such bugs should surely have shown up in pre-release testing, meaning Tonhub is cavalier with its releases and/or doesn't do real testing.

End of Contest

Looking at Tonhub and comparing to TonSafe

5 bugs about Tonhub won prizes in the contest. Not ONE of these bugs were present in TonSafe.

Tonkeeper Bugs

As promised, at the next Tonkeeper update I will report whether two bugs, one simple and obvious, one not so simple or obvious, were noticed or fixed. I doubt it!

These 2 examples were not in the listed contest winner bug reports.

TonScan Bugs

Contest only found one issue, not a bug. I found 2: one is that tonscan hides a transaction before or after (I forget which) a transaction with over 20k long comment, and another that the history is jumbled when scrolling far back, e.g. take a look at the TON Foundation's account, where they either have a gambling addiction, or are trying to hide tracks, not good either way. You'll see 3 months back, then 5 months, then it is back to 3 months, when there are interesting non-gambling payments being made.

(Written this day, 2nd October, 2022)

Annoyance

TonSafe could have participated? When this contest started I thought this was only for open source projects, but Wallet, TON Rocket and Cryptobot were included?!