Analyze the SocialFi track TOMO and New Bitcoin City from a security perspective

Source: Beosin

The continued explosion of Friend.tech has once again brought the market to the attention of the SocialFi track. At present, the Friend.tech competitors of each chain are emerging one after another, Linea chain's TOMO and NOS chain's New Bitcoin City with their own innovation, their TVL has exceeded $1 million in a short period of time, becoming a rookie in the SocialFi track.

While such SocialFi projects are in full swing, the associated security risks have received a lot of attention from the community. End of August Friend.tech Privacy leakage due to API access design; On October 7, there was a reentrancy vulnerability in the Stars Arena on the Avalanche chain, and hackers re-entered the call 0x5632b2e4 function in their contract, resulting in an unusually large final calculation of the sellShares function, and the protocol lost about $2.9 million.

Previously, Beosin conducted a detailed analysis of the design mechanisms and potential security risks of Friend.tech. Today, the Beosin security team analyzes the emerging projects TOMO and New Bitcoin City to help you understand the potential risks.

TOMO Introduction

TOMO is a Friend.tech competitor to Linea's Layer 2 network, and has launched a "Vote" mechanism based on the Friend.tech. Vote is the credentials of Twitter users before registering with TOMO, and other users can directly trade the Vote of unregistered users. After the user registers, the corresponding Vote will be converted to Key.

The introduction of Vote avoids the proliferation of rushing robots to a certain extent, eliminating the need to monitor Twitter users entering and indiscriminately issuing transactions. At the same time, 5% of the proceeds from Trading Vote will be distributed to the Twitter user corresponding to Vote, who can receive the income by registering for TOMO. This provides an economic incentive for Twitter users to move into TOMO.

TOMO Risk Analysis

Beosin previously completed an audit of Tifo.trade, the largest derivatives exchange on Linea's public chain. This time, we scanned TOMO business contracts through the Beosin VaaS tool, combined with the analysis of Beosin security audit experts, and found that TOMO has the following risks:

1 Business Risk

TOMO's business contract is open sourced, and a look at its contract code reveals that its underlying pricing model is similar to Friend.tech. If S is the current hold, TOMO's Key price model is S^2/43370, and the price model for Friend.tech is S^2/16000. This makes TOMO's Key price rise more slowly, attracting more users to participate in the transaction to some extent.

However, the essence has not changed, because the larger the total amount of Key, the higher the buying price and the higher the selling price, there may be early users buying a large number of Key, and the equity purchased by later users may incur losses, and you need to pay attention to the risks when participating in investment.

TOMO's pricing model

Friend.tech's pricing model

2 Centralization Risk

Similar to Friend.tech risk, the centralized risk of TOMO cannot be ignored. The owner of the contract can adjust the commission rate indefinitely, so as to charge high fees, and can even set a 100% handling fee so that users cannot receive the money from selling, or set a handling fee rate of more than 100% to suspend the buying and selling function.

source:

3 Private Key Risk (ERC-4337 Wallet)

According to the information displayed by TOMO, the wallet generated by TOMO after user registration is ERC-4337 wallet (account abstract wallet). The community has raised questions about the asset security of such wallets.

First of all, Friend.tech and most competitors such as the Stars Arena use EOA wallets, which are ordinary externally owned wallets. EOA wallets require each transaction initiated to be signed with a private key, which is relatively cumbersome to interact with. At the same time, it is difficult for users to keep private keys securely, and after the Deribit hot wallet was stolen $28 million, Beosin shared in detail how to keep the wallet safe.

To solve these problems, ERC-4337 proposes account abstraction by introducing a transaction object called "UserOperation", where users can use a single wallet account with both smart contract and EOA functionality (account abstract wallet). Different users send UserOperation objects to the UserOperation memory pool. Transactions are packaged by bundlers and submitted to the Ethereum mempool. The packaged transaction is verified by the Entry Point contract, and then the specific Wallet contract is called to perform specific operations and then uploaded to the chain. The process is shown in the following figure:

source:

Through the workflow of ERC-4337, we can know that the account abstract wallet has the following potential risk points:

(1) Contract risk

Entry Point contract and Wallet contract need to be implemented by the project party**, and TOMO does not open source related contracts at present. **The Entry Point contract verifies the legitimacy of transactions submitted by the bundler and calls specific Wallet contracts based on the transactions. If there are business logic vulnerabilities in the Entry Point contract and the Wallet contract, hackers can attack by constructing specific transactions.

(2) Risks associated with private keys

Under the ERC-4337 scheme, if the user forgets the private key, there may be other solutions to recover the wallet (according to the project design). However, The theft/leakage of the private key to others may also cause the user's asset loss. On October 18, TOMO opened the function of exporting wallet private keys, users need to export private keys and prevent private keys from being stolen.

Introduction to New Bitcoin City

New Bitcoin City (or Alpha) is a Friend.tech-like social application based on the Bitcoin Layer 2 network NOS, supporting both web and mobile. Users can trade keys to New Bitcoin City and Friend.tech in New Bitcoin City. Previously, the New Bitcoin City team also launched the GameFi project Mega Whales and the DeFi project New Bitcoin DEX.

link:

New Bitcoin City Risk Analysis

1 Business Risk

New Bitcoin City also uses a similar pricing model to Friend.tech, with a PRICE_KEYS_DENOMINATOR of 264000 in the code and a NUMBER_UNIT_PER_ONE_ETHER of 10. Compared to TOMO, prices increase more slowly.

source:

2 Cyber Risk

In addition to the same centralization risks as the TOMO part, according to the New Bitcoin City team, NOS uses Trustless Computer Layer 2 technology to run its contracts. The Trustless Computer was also developed by the New Bitcoin City team, and the execution layer is based on OP Stack to develop compatible Ethereum, and complete data verification on the Bitcoin network.

source:

Currently, only New Bitcoin City's social applications are active on the network, and the stability and security of the network has not been tested.

3 Private Key Management

New Bitcoin City is similar to Friend.tech in that users generate an EOA wallet after authorizing an app with Twitter for the first time. However, the wallet generation is done in the New Bitcoin City background, and the private key generation and custody process is still unknown.

Summary

Friend.tech competitors have improved and innovated on the basis of Friend.tech. The core pricing model remains largely unchanged, with improvements in user interaction, but does not solve the problem of storing private keys in user wallets well. **The risk of centralization of the contract is obvious, and users need to do project research when interacting.