telegrammessenger / telemint Goto Github PK

Want to contribute to TelegramMessenger/telemint?
If you have a bug or an idea, browse the open issues before opening a new one. You can also take a look at the Open Source Guide.

Enable suggestions on how users should report security vulnerabilities for this repository

Smart contract cracking competition. -by merit smart contracts has been the most advanced by technology In the web 3 crypto space, making it almost impossible for vulnerabilities, using a secured maths library may still lack precision when integer arithmetic. When data is stored in resizable arrays and then accessed by looping through these arrays the transactions can quickly exhaust and roll back, these happens when the numbers of items increase with productions not testing. The test dataset is usually smarter than the product dataset which makes this vulnerability very dangerous. -lack of access control creates a room for vulnerability where only certain type of user should be allowed to call a certain functions but it’s not done. -mostly simple logical bugs arithmetic errors,these errors may be as a result of simple typo, a misunderstanding of specification or a larger programming mistake they tend to have complications on the smart contracts. -manipulation in solidity contracts which could result in our type inference heuristic failing furthermore. Most of the contracts using manipulator to manipulate variables as a bit arrays. - smart contracts can be written in any language that can compile to web assembly C++ is the most popular, however the combination of C++ and WASM can cause a lot of security issues in the network including the recent discovered EOSNodeREC vulnerability. EOS allows developers to update code on the blockchain however so many issues can be fixed as soon as they are discovered also by implementing an efficient. -Denial of service is very dangerous to smart contracts this kind of attack can break the normal operation of smart contracts and even lead to the collapse of smart contracts. Denial of service will consume the service capacity of smart contracts, finally the attack smart contracts can not provide service to other users. The attack can set too large value of variables to each functions to end the loop in this case the smart contracts cannot accept other users request and serve them. By these junction I come to an end with some few vulnerability of smart contracts I hope I made an impact. Impapichuksxx
[email protected]

Maybe also add a TLb description of all messages, which contracts could generate and send to external contracts?

For example, at the end of the auction, nft-item sends an ownership_assigned message to a new owner, but it is not clear what is the format of the message. E.g. what does .store_int(0, 1) mean in that query? And why bidder_address is stored in that message (they probably already know their address)? Should it be prev_owner instead (similar to nft_answer_ownership_assigned)?

I think there is a problem with giving permissions to the owner nftltem This is in order to open an automatic bid.... I believe that the bidding should be created under the supervision of one of the supervisors and then decide whether to accept or not...because it is important to work continuously to ensure the quality of service and growth remains dominant.

would not the tokens declared in the messages such as TeleitemAuctionConfig , TelemintText , TeleitemAuctionConfig, NftRoyaltyParams , TelemintTokenInfo collide with each other such as [nft-item.fc], [nft-collection.fc] [common.fc] present in internal/external messages?
or is it neglected as they're messages in the interface !

(if this is just irrelvant we'll just delete this issue)

Hello, I'm sorry but can't find any info about how to mint NFT from username that you control? Thx!

my account Has Been Banned And i cant Acsess My Channel
I Logged in with Same Sessions in that Account
Please Help Me:) any way to recover?

code quality
issues : No issues 💯
code security
vulnerabilities : No vulnerabilities 💯

Analysis of README.md (https://text.ru/spelling/unauthorized)

    https://github.com/TelegramMessenger/telemint/commit/eddde788b4283aac02646ebd3faa04f216dc7cb0 https://github.com/TelegramMessenger/telemint/commit/7aa8c922e8767890cb3f0ca07be45e447bc9e82f

Originally posted by @isopen in #51 (comment)

-Colour effect
Bright colour needed,eg(green/white- orange)
-Servicer slow (massage,app delay massage when sent and receive)
-rebot slow when open

According to standard in get_nft_data - init? - if not zero, then this NFT is fully initialized and ready for interaction., but if it's in auction state it's not ready for interaction, I guess? Because transfer is blocked while auction cell is not null

https://github.com/TelegramMessenger/telemint/blob/main/func/nft-item.fc#L281

int top_subdomain_bits = get_top_domain_bits(subdomain);

Case when an error occurred while sending amount_to_send

1. L6
   send_msg(address, amount_to_send, op::fill_up, cur_lt(), null(), 2); ;; ignore errors (suppose an error occurred at this step)
2. L7
   current balance decreased by amount_to_send
   my_balance -= amount_to_send;

Toncoins were not sent, but the user's balance decreased. It may be necessary to use throw_if

https://github.com/TelegramMessenger/telemint/blob/main/func/common.fc#L70
For example - codex0a\0test\0 -> codex will be resolved, but should be codex0a
Potentially it is possible to forge domain, for example to create ton0a\0test\0 -> ton, but originaly must be only ton\0test\0 -> ton

After finished sharing the screen during a video call the voice is gone. Please fix this bug. Thank you

In a bunch of places load_dict is used for things, which are not dictionaries. example.

It is a matter of style (tvm op codes are the same), but I think using load_maybe_ref could make the code less confusing.

All smart contracts security vulnerabilities eventually lead to exploits, which negatively affects the reputation of the protocol, its owners, and the project team. Moreover, it lowers the overall level of trust to the industry, creating more concern and doubt.
As a developer, sometimes we focus too much on the functionality and performance offered by our applications and we tend to forget about security. Security is always important but it is paramount when it comes to smart contracts deployed on public blockchains (like Ethereum).

Saving unencrypted confidential data on the blockchain is very risky because the blockchain is accessible to anyone meaning that absolutely nothing about it is confidential, if by mistake, you save passwords (or similar information) on it, you are in big trouble. So I say NEVER store confidential information on a blockchain unless you encrypt it or hash it.

The state of a smart contract is determined by the values ​​of its variables, which are changed by calling its functions. Calling a smart contract function is the same transaction as a transaction of ETH or ERC-20 token transfer. These transactions are finalized by the network only after the next block creation is complete.
Thus, when the user sends a transaction to call a contract function, they cannot be sure that the transaction will be executed in the same state of the contract in which it was at the time of sending. This can happen because other transactions in the same block have changed the state of the contract.
Moreover, miners have some freedom in ordering transactions when forming a block, as well as in choosing to include a particular transaction in a block. In some cases, the impossibility of determining the state of the contract, in which the transaction will be executed, can cause another smart contract weakness.
It also becomes especially dangerous to interact with contracts written in such a way that their behavior can be changed over time.

Also, If you are used to other programming languages you might be tempted to use arrays more than you actually should.
Keep in mind that executing functions in Ethereum costs gas (money), and transactions have a gas limit by definition (the gas limit of a single block). If for some reason your smart contract uses a very long array, and at some point, you need to iterate through it, you might reach the gas limit making the function unexecutable….
So I say always try to use mappings when you expect a long list of values.

Writing a completely secure smart contract is a complex and painstaking task. Yet, however perfect the contract may seem, it still requires a thorough security audit before being published on the network.
The reason for that is many smart contract vulnerabilities that can be easily overseen even by experienced developers. Yet, even minor bugs may lead to massive protocol exploits and money loss. That is why we highly recommend you conduct at least two smart contract audits to boost your protocol security and prevent potential hacks.

What is the reason behind initialization of collection using external message?

Seems like someone can init your contract faster than you 😄

I think we can just deploy contract with desired data already or use same approach as we have in NFT contract

What if a security method for Telegram is activated, which is like the feature of the Google application authenticator, Perhaps this will make the security feature better, making the matter completely at the disposal of Telegram, and this may protect more and more widely from hackers, I suggest a security application, a deflectors, and an authentication similar to that of Google.

L1
L62

1. I suggest to use already prepared one_ton constant: L1
2. Remove comment ;; 1 TON L1

Why not use this license for files?
https://github.com/tdlib/td/blob/master/LICENSE_1_0.txt

Nowadays I faces alot of problems like scammed by others so I have a suggestion , what if u can make an option like PayPal that can keep ur rights , when I send $ to someone and he didn't give me the purchase or something I contact to PayPal customer service them I get my $ back , think about it

How?

calling ethers.utils.serializeTransaction() on a eip1559 results in "mismatch EIP-1559 gasPrice != maxFeePerGas" error, using version 5.5.1
0xd59f194c92e411b6773d8304b5ee6dcfa3d4021d2bb8402d6f28d370511f2839

Status:success

Block:
33370255 859795 Block Confirmations

Timestamp:
20 days 19 hrs ago (Sep-21-2022 04:39:03 AM +UTC)

From:
0xd17a78499e0cf2aca57c8d0ecf899fa081d415cd

To:
0xef25e8a0f60c3650fbf35e94dc069a23533a1850 Dammywise12

Value:
11 MATIC ($8.71)

Transaction Fee:
0.000630000000294 MATIC ($0.00)

Txn Type:
2 (EIP-1559)

MATIC Price:
$0.70 / MATIC

Originally posted by @dammywise12 in https://github.com/dammywise12/0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045/issues/1

Connection to privacy is main issues on the telegram...

Some bugs that might create rooms for individual to defraud others, all account should be monitored and regulated.

Some of the commits can be considered non-trivial.
Have those authors been able to review the commits since?

Ideally, the audit reports would be updated mentioning the last commit that has been audited.

As official smart contracts by Telegram, future dapp developers are going to look up to your project and learn from it.

Please make the effort to educate them on what a proper dapp should look like.

These contracts manage money, it is reasonable to expect them to come with a test suite to show users who deposit money in them, that the contracts do what they're supposed to do. The test suite should be able to run on user's computers. This means that you will need to provide a build script to help users compile these contracts too.

I'm sure you know how to do all this, but if you need a good example - this is my template for the above: https://github.com/ton-defi-org/tonstarter-contracts

I also know that there are different methods of testing. I hope that you will choose ton-contract-executor method and write your tests in JavaScript - explanation why this is the superior method is available here: https://society.ton.org/ton-hello-world-guide-for-writing-first-smart-contract-in-func-part-2

calling ethers.utils.serializeTransaction() on a eip1559 results in "mismatch EIP-1559 gasPrice != maxFeePerGas" error, using version 5.5.1

Status:success

Block:
33370255 859795 Block Confirmations

Timestamp:
20 days 19 hrs ago (Sep-21-2022 04:39:03 AM +UTC)

From:
0xd17a78499e0cf2aca57c8d0ecf899fa081d415cd

To:
0xef25e8a0f60c3650fbf35e94dc069a23533a1850 Dammywise12

Value:
11 MATIC ($8.71)

Transaction Fee:
0.000630000000294 MATIC ($0.00)

Txn Type:
2 (EIP-1559)

MATIC Price:
$0.70 / MATIC

Originally posted by @dammywise12 in https://github.com/dammywise12/0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045/issues/1

Originally posted by @dammywise12 in #72

Hey @arseny30, I checked some of op codes and got totally different values.

For example for teleitem_msg_cancel_auction query_id:int64 = TeleitemMsg I've got 3002b06b, but you have 371638ae. Which method you used for calculation? I think it should be crc32 with IEEE table. Or you can use tlbc tool from ton for it.

I've tried the same method of calculation on jetton transfer just for test to be sure, and got the same result as in schema.
(ton-blockchain/TIPs#74)

To check I calculated crc on:
transfer query_id:uint64 amount:VarUInteger 16 destination:MsgAddress response_destination:MsgAddress custom_payload:Maybe ^Cell forward_ton_amount:VarUInteger 16 forward_payload:Either Cell ^Cell = InternalMsgBody` and got `8f8a7ea5`, then `0x8f8a7ea5 & 0x7FFFFFFF = 0x0f8a7ea5

Also, as far as I know all messages that are intended to be used as message body should be = InternalMsgBody (by TON standards)

Long live telegram.

I have seen that you are passing a large number of parameters to a system variable:
var(_, subwallet_id, public_key, _, item_code, full_domain, default_royalty_params)
This can cause parameters to be loaded in the wrong order, resulting in a consensus violation. I would suggest coming up with a unique identifier, on the basis of which the distribution into groups of nicknames will take place. At the same time, the auction is based on the NFT concept, and nicknames do not require distribution among collections.

Telegram user name

    Please don't open unnecessary cards

Originally posted by @killteamseller in #1 (comment)

Add exception handling for runtime errors. Did not take additional processing. If you do not capture the moment of funds transfer and function call inside the smart contract by introducing additional exception handling functions, then this can lead to the transaction becoming dangerous for secondary contracts.

Premium currently decays linearly. We need to write a function so decay exponentially with the formula:

P = SP ^ 0.5 ^ T, where P = Price, SP = Starting Price, T = Time since expiry.

Enable suggestions on how users should report security vulnerabilities for this repository