The Telegram ICO’s TON blockchain has questionable security, and will probably centralise

Messaging system Telegram is the favoured chat app for ICOs — every ICO seems to have a Telegram chat room. As founder Pavel Durov told Bloomberg in early December 2017, “the entire blockchain and cryptocurrency community just switched to Telegram.”

Telegram doesn’t have a business model — it’s funded out of Durov’s pocket, using the $300 million he got for his previous huge success, VKontakte, the Russian answer to Facebook.

So, Telegram needed money from somewhere. So in early 2018, it did its own sort-of-ICO.

 

 

The not-an-ICO nets $1.7 billion

Telegram started touting an ICO to private investors some time in late 2017. Former employee Anton Rozenberg posted to Facebook (archive) on 21 December 2017, publicly confirming the ICO’s existence — and linking the teaser video.

The video posits a fabulously scaleable blockchain, solving most present blockchain scaling problems — and every Telegram user will get a TON wallet, to store the network’s token, the Gram, “making it the world’s most adopted cryptocurrency.”

 

 

The ICO was a SAFT — a Simple Agreement for Future Tokens — for Gram tokens. The Grams would be delivered when TON was up and running.

The offering was exempt from registration as a security under Regulation D 506(c) — for “accredited,” i.e., rich, investors only. If an accredited investor wants to buy nonexistent future magic beans and lose all their money — that’s entirely their own lookout, as long as the prospectus is truthful and details the risks.

Telegram’s a famous name, so Silicon Valley venture capital wanted in on this one — exposure to cryptocurrency at the peak of the hype, a famous name with lots of users, and founders who had a track record of success!

The SAFTs were sold in two rounds, of $850 million each — and that’s in actual US dollars, not cryptos. The first round was oversubscribed, and buyers were reportedly reselling their SAFTs for twice what they’d paid, before the round even finished.

(It’s not clear how the investors did this, or precisely what they were reselling — under SEC Rule 144, you mostly can’t trade 506(c) securities for at least six months after first sale. And the text of the SAFT hasn’t leaked, so it’s not clear if Telegram has any obligation other than to the original purchasers.)

What did these investors get for their $1.7 billion? Not a stake in the company — just the right to Gram tokens, when the TON blockchain eventually launched.

Raising $1.7 billion without giving up any stake in your company is an idea with obvious attractions. For comparison, that’s one-tenth of what Facebook’s initial public offering raised — in one of the longest-awaited, most closely-watched Silicon Valley IPOs ever. And Facebook’s user base is a significant percentage of all the people in the world … unlike Telegram’s niche messaging app.

The TON “primer” white paper (archive) says the ICO funds will be used for “the development of Telegram and TON and for the ongoing expenses required to support the growth of the ecosystem.” That is, they can use the money to pay Telegram’s regular bills — and also, develop some blockchainy thing.

Though if TON doesn’t launch by October 2019 — Telegram will return the investors’ money! … if there’s any left by then.

No public ICO, but …

The ICO never went to its planned public round — the SEC was sniffing around ICOs, and Telegram had already made much more money than they’d expected, all of it from people who were definitely rich enough to know better.

But creative cryptocurrency entrepreneurs had been on the case since January — setting up fake Telegram ICO sites, such as tgram.cc, ton-ico.com, ton-gram.io, grampreico.com, tgram.cc and gramtoken.tech. One site, gramtoken.io, collected $5 million in Ether before disappearing.

Some of these, I can’t even work out precisely what the scam is. ico-telegram.org (archive) claims to be running a refund. “We point out that we are DO NOT sell/provide any type of security/currency/worldly goods or investment promises. we are DO NOT sell Gram token or Telegram token.” If you click the “Refund” button, you go to another page (archive) which says “We are ready to work together with the authorities and law enforcement agencies to resolve the situation and issue any and all refunds corectly.” [sic] If you have MetaMask installed, it blocks the site with a scam warning.

A sham company was incorporated in the UK, Telegram Open Network Limited, falsely claiming to be owned by Pavel Durov, with £800 million in capital. Telegram disclaimed it.

Telegram also defended the name “Gram” (archive) against another company, Lantah LLC, that planned its own “GRAM” token. Lantah LLC appears to have actually been first — but Telegram convinced the judge that they “did more than prepare to use the mark.”

Telegram Open Network: the gritty details

Venture capital firms who were already into cryptocurrency chose to sit out the Telegram ICO — “it’s a pitch that sounds good to VCs that haven’t participated but makes no sense to people that have been in the space,” said Nick Tomaino of virtual currency investment fund 1confirmation.

The crypto VCs probably read the December 2017 Telegram Open Network technical white paper (archive). This was written by VKontakte and Telegram technical co-founder Nikolai Durov, brother of Pavel — a mathematician, with two doctorates.

The white paper is 132 pages of unsupported promises, and blatant cribs from early Ethereum ideas that didn’t work out.

The  paper offers:

a fast, secure and scalable blockchain and network project, capable of handling millions of transactions per second if necessary … We aim for it to be able to host all reasonable applications currently proposed and conceived.

TON is supposed to be a public blockchain network, dealing in money. So the two overwhelmingly important questions — overshadowing every other detail — become:

  1. how secure is this against a well-funded attacker?
  2. how does the network stay decentralised?

The word “security” appears once in the entire paper; the word “threat,” not at all.

And if it won’t stay decentralised — there’s not really any point in using a blockchain.

But first — how will Telegram achieve all three of “fast, secure and scalable”?

Quite a lot of the technical white paper is ideas that Ethereum already rejected — it’s like Durov read Vitalik Buterin’s “Prehistory of the Ethereum Protocol” and went “ha, that’ll be easy.”

Ethereum is currently working on how to separate transaction processing into multiple sub-blockchains, called “shards” — a term adopted from databases — and reconcile transactions while maintaining cryptographic guarantees. This is how they hope to scale up Ethereum’s transaction rate.

TON is conceived as a pile of shards, from the ground up — think in terms of one blockchain per account, then work out how to reconcile all of these. This is what Durov calls the “infinite sharding paradigm.”

There’s a master blockchain, and up to 232 “workchains” hanging off it, as sidechains. Each workchain can have 260 “shardchain” sidechains hanging off it.

Each shardchain is responsible for a small number of addresses; shards can branch or merge depending on the processing load its addresses cause. Each block in a shardchain can be replaced if found to be invalid. The masterchain contains hashes of all blocks of all shardchains.

This all just assumes the validity of shardchain block generation — there’s no mention of financially-interested outside attackers.

One obvious attack comes from section 2.4.19 — to avoid a flood of messages, “each shard is ‘connected’ only to shards differing in exactly one hexadecimal digit of their (w, s) shard identifiers.” So, to attack a high-value shard, just compromise enough of its surrounding shards. Thus, high-value shards will need to buy a “moat” of their adjacent shards.

Sidechains and shards and so on could work just fine in a world with no hostile attackers — but that’s not the world we live in.

Anyone can stack up chains of chains of chains like Lego bricks — but we’re interested in what happens when someone comes at it with a hammer.

Remember that none of this exists. The white paper is not a detailed explanation of a live working system — this was all hypothetical, even if the white paper consistently uses the present tense, as if this was and is a thing.

At best, this is how Durov thinks his unimplemented system will work — there are bursts of ridiculously low-level detail, and other bits are handwaved, or conspicuously absent.

Section 2.6 is how the Proof-of-Stake system will work. This is how TON claims to solve the Blockchain Trilemma of being fast, decentralised and secure:

The TON Blockchain ultimately consists of shardchain and masterchain blocks. These blocks must be created, validated and propagated through the network to all parties concerned, in order for the system to function smoothly and correctly.

There are 100 validators in any given month, elected according to stake. Nominators can lend capital to validators to achieve stake.

this nominating or lending system enables one to become a validator without investing a large amount of money into Grams (TON coins) first. In other words, it prevents those keeping large amounts of Grams from monopolizing the supply of validators.

Presumably this is their answer to the Proof-of-Stake centralisation failure mode “thems what has, gets” — where having money means you’re better-placed to get more money. But Durov just states the claim that it prevents a monopoly — he doesn’t show how this follows, at all.

Section 2.6.25 is TON’s promise of decentralisation. It explicitly contrasts TON with Bitcoin and Ethereum, which run Proof-of-Work, which — apart from being a horrifying and reprehensible waste of power and CO2 generator — has centralised due to economies of scale: the bigger you are, the more efficiently you can mine Bitcoin or Ethereum. TON uses a nominator system:

In fact, the parameter L of 2.6.7 will force nominators not to join the largest “mining pool” (i.e., the validator that has amassed the largest stake), but rather to look for smaller validators currently accepting funds from nominators, or even to create new validators, because this would allow a higher proportion s’i/si of the validator’s — and by extension also the nominator’s — stake to be used, hence yielding larger rewards from mining. In this way, the TON Proof-of-Stake system actually encourages decentralization (creating and using more validators) and punishes centralization.

… and that’s it. Durov presents no evidence that the system will work in practice how he hopes. No threat models, no possible failure modes, nor any failure modes discovered in Ethereum’s years of work on a Proof-of-Stake system.

What stops individual large nominators backing a huge percentage of validators? As we see with crypto mining company Bitmain running multiple “separate” Bitcoin mining pools, often adding up to over 50%.

 

https://twitter.com/ncweaver/status/1078682328866598912

 

There’s massive quantities of intricate detail here on how all of this is going to work. But none of this existed when it was written. It’s non-empirical reasoning from first principles about a hypothetical system.

Why is this a good system? Why these particular choices? What are the alternatives? Why is it more than just you making up a PoS system off the top of your head?

Section 2.8 discusses types of blockchains. This sort of answers a bit of “why,” but only on the broadest level — not why Durov made these particular decisions.

Durov is ridiculously smart. He has two Ph.Ds in mathematics. He’s recruiting seriously talented mathematicians to work on TON.

I’m pretty sure Durov is confident nobody could outsmart him here — he’s thought about it really hard, after all.

But it’s an empirical problem, not just a maths problem. Pure reason from first principles is not enough — you need twisty weasels kicking your system and thinking of ways around your security. I can’t see any evidence of this in the paper.

Durov was technical architect for VKontakte and Telegram, so he should know this is missing.

Section 2.9 outlines a hierarchy of blockchain projects, and calls TON “the first fifth-generation blockchain project.” I would say TON is zeroth generation, because it doesn’t exist.

Section 2.9.13: “Is it possible to ‘upload Facebook into a blockchain’?” — this is the worst section heading I’ve ever seen in a white paper, and I’ve seen some doozies. I’m glad their answer is mostly “no.”

The rest of the paper details other parts of the network — TON Storage (like IPFS), TON Proxy (like TOR), TON Services (user and app interface), TON DNS, and TON Payments (a Lightning-style channel network). These are a similar blend of low-level querulous detail and high-level handwaving.

Investors spent one point seven billion actual US dollars on this thing — so the white paper was certainly up to that task.

 

 

Telegram Passport

Part of the TON plan — at least per the Primer — is an identity system offering “External Secure IDs.” Telegram Passport was released in July 2018.

Telegram Passport will let you fulfill KYC (Know Your Customer) requirements for crypto offerings. You upload your passport, driver’s license, bank statements, rental agreements, and so on — and you can provide these to services that want to see them.

You trust that Telegram know what they’re doing with securing your most sensitive personal and financial data.

Unfortunately, it had a number of problems. Specifically, the trouble with roll-your-own cryptography is that you’ll discover why everyone says never to roll your own cryptography:

  • Your data is protected only with a password, hashed with salted SHA-512. In 2018, this costs a maximum of $135 per password to brute-force the entire space of eight-character passwords.
  • Telegram generates its own key for data encryption — but it turns out their roll-your-own cryptography generates keys where the sum of all bytes is always divisible by 239. This cuts 7 to 8 bits off the brute-force search space.

But all the millions of Telegram users will use passwords longer than eight characters — right?

September 2018 TON progress report

In September 2018, TON issued a progress report for investors, claiming the project was “70%” toward the test network — TON Virtual Machine 95% complete, TVM documentation 95%, TON network protocols 80-100%, TON blockchain validation 10-50%.

Completion percentages of this sort are deceptive. Telegram don’t make it clear at all how they’re measuring this. For instance, in the scrum process, it might mean percentage of “stories” completed in a given “epic.” But 90% of your stories being done doesn’t at all mean there’s only 10% more work to go before release.

The 5 September 2018 technical papers are “Telegram Open Network Blockchain” (archive) and “Telegram Open Network Virtual Machine” (archive).

The TON paper goes into hyperspecific detail about message passing algorithms, the layout of data within the blocks, and so on. I think they wrote this by taking what software they’d written so far, and describing it mathematically. The TVM paper is much the same.

That’s fine — but both papers conspicuously fail to address our two crucial questions: (a) are we secure, and (b) how do we stay decentralised?

The new papers have nothing on validation, resolving disagreements, security, threat models, or how this thing stays decentralised.

We know precisely how creative attackers get when there’s anything even slightly resembling money at stake. You can’t treat security as a thing you bolt onto a system later — but it looks a lot like that’s what they’re doing.

What will Telegram end up with?

Telegram is on a deadline here — they have until October 2019 to get a suitable network running, or they have to give the ICO money back.

So — how can they most easily fulfill the conditions of delivery?

A copy of the SAFT document hasn’t leaked, so we don’t know the precise conditions they need to meet to avoid a refund. But at the very least, Telegram need to provide a network that you can move Gram tokens over. I expect they’ll need to add a Gram wallet to the Telegram Messenger app. They may have promised smart contract functionality as well.

But I doubt they promised their investors complete “decentralisation,” to the standards of cryptocurrency advocates.

The simplest minimum viable product would be a distributed system with centralised administration of critical parts. Once you don’t bother with being 100% decentralised — and have a trusted human institution in there keeping an eye on the hardest parts — it all gets a lot easier.

So, I’d guess that’s what Telegram will release — they’ll say “decentralised” a lot, to try to abrogate responsibility, but they’ll control key parameters, to keep the thing from catching fire.

This is how practical smart contracts work on Ethereum right now — because Decentralised Autonomous Organisations (DAOs) turned out to be a dumb and bad idea. Even the Ethereum white paper recommends that you include update functionality in your smart contracts. That doesn’t stop ICO promoters from saying “decentralised!” for a second, of course.

Ripple’s XRP token is hugely popular with crypto traders, and it’s centrally controlled by Ripple Labs — it turns out the market doesn’t care about your ideology, only its own. EOS is functionally centralised too. Even Bitcoin had recentralised by 2014.

As I’ve said previously — I’m pretty sure that if Ethereum ever gets its Casper Proof-of-Stake mechanism into production, Ethereum will also rapidly centralise — thus leading to a more stable platform for the businesses running on it.

If TON goes this way, it won’t matter — businesses are quite used to working on an open-but-owned platform. It’ll be rather less than the promises — but nobody using or developing for TON will be worried, as long as it more or less works.

And even if TON dies soon after launch — Telegram keeps the money.


Update: hello, new readers! If you were on my Patreon — you’d have seen this post yesterday. Please sign up to support this work!



Become a Patron!

Your subscriptions keep this site going. Sign up today!

3 Comments on “The Telegram ICO’s TON blockchain has questionable security, and will probably centralise”

  1. thanks to Fins on SA for spotting the problem with section 2.4.19, John-Paul Thorbjornsen for the September 2018 technical white papers, and puppy treats to Amy Castor for edits.

    1. If it doesn’t achieve all its far-flung technical goals, they can cry themselves to sleep on really quite a large bed made of actualmoney.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.