{"id":11452,"date":"2018-12-29T22:34:10","date_gmt":"2018-12-29T22:34:10","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=11452"},"modified":"2019-04-18T18:12:09","modified_gmt":"2019-04-18T18:12:09","slug":"the-telegram-icos-ton-blockchain-has-questionable-security-and-will-probably-centralise","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2018\/12\/29\/the-telegram-icos-ton-blockchain-has-questionable-security-and-will-probably-centralise\/","title":{"rendered":"The Telegram ICO&#8217;s TON blockchain has questionable security, and will probably centralise"},"content":{"rendered":"<p>Messaging system Telegram is the favoured chat app for ICOs\u00a0\u2014 every ICO seems to have a Telegram chat room. As founder Pavel Durov <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2017-12-12\/cryptic-russian-crusader-says-his-5-billion-app-can-t-be-bought\">told Bloomberg<\/a> in early December 2017, &#8220;the entire blockchain and cryptocurrency community just switched to Telegram.&#8221;<\/p>\n<p>Telegram doesn&#8217;t have a business model \u2014 it&#8217;s funded out of Durov&#8217;s pocket, using the $300 million he got for his previous huge success, VKontakte, the Russian answer to Facebook.<\/p>\n<p>So, Telegram needed money from somewhere. So in early 2018, it did its own sort-of-ICO.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/12\/29\/the-telegram-icos-ton-blockchain-has-questionable-security-and-will-probably-centralise\/ton-graphic\/\" rel=\"attachment wp-att-11546\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-11546\" src=\"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/12\/ton-graphic.jpg\" alt=\"\" width=\"500\" height=\"200\" srcset=\"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/12\/ton-graphic.jpg 1000w, https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/12\/ton-graphic-300x120.jpg 300w, https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/12\/ton-graphic-768x307.jpg 768w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3>The not-an-ICO nets $1.7 billion<\/h3>\n<p>Telegram started touting an ICO to private investors some time in late 2017. <a href=\"https:\/\/www.theregister.co.uk\/2017\/10\/25\/telegram_settles_lawsuit_against_exstaffer_who_claimed_fsb_links\/\">Former employee<\/a> Anton Rozenberg <a href=\"https:\/\/www.facebook.com\/id77777\/posts\/10154846872521076?__tn__=-R\">posted to Facebook<\/a> (<a href=\"https:\/\/archive.is\/eVD5M\">archive<\/a>) on 21 December 2017, publicly confirming the ICO&#8217;s existence \u2014 and linking the <a href=\"https:\/\/www.youtube.com\/watch?v=OHQnyfS-a3U\">teaser video.<\/a><\/p>\n<p>The video posits a fabulously scaleable blockchain, solving most present blockchain scaling problems \u2014 and <em>every Telegram user<\/em> will get a TON wallet, to store the network&#8217;s token, the Gram, &#8220;making it the world&#8217;s most adopted cryptocurrency.&#8221;<\/p>\n<p>&nbsp;<\/p>\n<div class=\"jetpack-video-wrapper\"><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"735\" height=\"414\" src=\"https:\/\/www.youtube.com\/embed\/OHQnyfS-a3U?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-GB&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/div>\n<p>&nbsp;<\/p>\n<p>The ICO was a SAFT \u2014 a Simple Agreement for Future Tokens\u00a0\u2014 for Gram tokens. The Grams would be delivered when TON was up and running.<\/p>\n<p>The offering was exempt from registration as a security under <a href=\"https:\/\/www.ecfr.gov\/cgi-bin\/text-idx?SID=0a94ea1a8a9ecce212ec25025efed3af&amp;node=17:3.0.1.1.12.0.46.181&amp;rgn=div8\">Regulation D 506(c)<\/a>\u00a0\u2014 for &#8220;accredited,&#8221; <em>i.e.,<\/em> rich, investors only. If an accredited investor wants to buy nonexistent future magic beans and lose all their money\u00a0\u2014 that&#8217;s entirely their own lookout, as long as the prospectus is truthful and details the risks.<\/p>\n<p>Telegram&#8217;s a famous name, so Silicon Valley venture capital <a href=\"https:\/\/www.ft.com\/content\/790d9506-0175-11e8-9650-9c0ad2d7c5b5\">wanted in on this one<\/a> \u2014 exposure to cryptocurrency at the peak of the hype, a famous name with lots of users, and founders who had a track record of success!<\/p>\n<p>The SAFTs were sold in two rounds, of $850 million each \u2014 and that&#8217;s in actual US dollars, not cryptos. The first round was <a href=\"https:\/\/www.cnbc.com\/2018\/02\/15\/telegram-the-2-billion-crypto-offering-thats-dividing-tech.html\">oversubscribed,<\/a> and buyers were reportedly <a href=\"https:\/\/qz.com\/1194612\/telegram-ico-allocations-are-being-flipped-for-millions-before-going-on-public-sale\/\">reselling<\/a> their SAFTs for twice what they&#8217;d paid, before the round even finished.<\/p>\n<p>(It&#8217;s not clear how the investors did this, or precisely what they were reselling \u2014 under <a href=\"https:\/\/www.sec.gov\/reportspubs\/investor-publications\/investorpubsrule144htm.html\">SEC Rule 144,<\/a> you mostly can&#8217;t trade 506(c) securities for at least six months after first sale. And the text of the SAFT hasn&#8217;t leaked, so it&#8217;s not clear if Telegram has any obligation other than to the original purchasers.)<\/p>\n<p>What did these investors get for their $1.7 billion? Not a stake in the company \u2014 just the right to Gram tokens, when the TON blockchain eventually launched.<\/p>\n<p>Raising $1.7 billion without giving up <em>any<\/em> stake in your company is an idea with obvious attractions. For comparison, that\u2019s one-tenth of what Facebook\u2019s initial public offering raised \u2014 in one of the longest-awaited, most closely-watched Silicon Valley IPOs ever. And Facebook&#8217;s user base is a significant percentage of <em>all the people in the world<\/em> &#8230; unlike Telegram&#8217;s niche messaging app.<\/p>\n<p>The TON <a href=\"https:\/\/drive.google.com\/file\/d\/1oaKoJDWvhtlvtQEuqxgfkUHcI5np1t5Q\/view\">&#8220;primer&#8221;<\/a> white paper (<a href=\"https:\/\/www.docdroid.net\/NFTQHzI\/ton.pdf\">archive<\/a>) says the ICO funds will be used for \u201cthe development of Telegram and TON and for the ongoing expenses required to support the growth of the ecosystem.\u201d That is, they can use the money to pay Telegram\u2019s regular bills \u2014 and also, develop some blockchainy thing.<\/p>\n<p>Though if TON doesn&#8217;t launch by October 2019 \u2014 Telegram will <a href=\"https:\/\/www.wsj.com\/articles\/stock-and-bond-markets-dethroned-private-fundraising-is-now-dominant-1522683249\">return the investors\u2019 money!<\/a> &#8230; if there&#8217;s any left by then.<\/p>\n<h3>No public ICO, but &#8230;<\/h3>\n<p>The ICO never went to its planned public round \u2014 the SEC <a href=\"https:\/\/www.wsj.com\/articles\/telegram-messaging-app-scraps-plans-for-public-coin-offering-1525281933\">was sniffing around ICOs,<\/a> and Telegram had already made much more money than they&#8217;d expected, all of it from people who were definitely rich enough to know better.<\/p>\n<p class=\"western\">But creative cryptocurrency entrepreneurs had been on the case since January \u2014 setting up <a href=\"https:\/\/techcrunch.com\/2018\/01\/20\/telegram-ico-scammers\/\">fake Telegram ICO sites,<\/a> such as tgram.cc, ton-ico.com, ton-gram.io, grampreico.com, tgram.cc and gramtoken.tech. One site, gramtoken.io, collected $5 million in Ether before disappearing.<\/p>\n<p>Some of these, I can&#8217;t even work out precisely what the scam is. <a href=\"https:\/\/ico-telegram.org\/\">ico-telegram.org<\/a> (<a href=\"https:\/\/archive.li\/WrWGJ\">archive<\/a>) claims to be running a refund. &#8220;We point out that we are DO NOT sell\/provide any type of security\/currency\/worldly goods or investment promises. we are DO NOT sell Gram token or Telegram token.&#8221; If you click the &#8220;Refund&#8221; button, you go to <a href=\"https:\/\/ico-telegram.org\/tokensale\/index.html\">another page<\/a> (<a href=\"https:\/\/archive.li\/g0rQf\">archive<\/a>) which says &#8220;We are ready to work together with the authorities and law enforcement agencies to resolve the situation and issue any and all refunds corectly.&#8221; [<em>sic<\/em>] If you have MetaMask installed, it blocks the site with a scam warning.<\/p>\n<p class=\"western\">A <a href=\"https:\/\/qz.com\/1246667\/someone-created-a-sham-british-company-to-exploit-telegrams-mega-ico\/\">sham company<\/a> was incorporated in the UK, <a href=\"https:\/\/beta.companieshouse.gov.uk\/company\/11229448\/filing-history\">Telegram Open Network Limited,<\/a> falsely claiming to be owned by Pavel Durov, with \u00a3800 million in capital. Telegram <a href=\"https:\/\/twitter.com\/telegram\/status\/982269272876498944\">disclaimed it.<\/a><\/p>\n<p class=\"western\">Telegram also <a href=\"https:\/\/www.law.com\/therecorder\/2018\/08\/09\/telegram-wins-injunction-barring-crypto-start-up-from-naming-its-currency-gram\/\">defended the name &#8220;Gram&#8221;<\/a> (<a href=\"https:\/\/web.archive.org\/web\/20181229184325\/https:\/\/www.law.com\/therecorder\/2018\/08\/09\/telegram-wins-injunction-barring-crypto-start-up-from-naming-its-currency-gram\/?slreturn=20181129134323\">archive<\/a>) against another company, Lantah LLC, that planned its own \u201cGRAM\u201d token. Lantah LLC appears to have actually been first \u2014 but Telegram convinced the judge that they &#8220;did more than prepare to use the mark.&#8221;<\/p>\n<h3>Telegram Open Network: the gritty details<\/h3>\n<p>Venture capital firms who were already into cryptocurrency chose to sit out the Telegram ICO \u2014 \u201cit\u2019s a pitch that sounds good to VCs that haven\u2019t participated but makes no sense to people that have been in the space,\u201d <a href=\"https:\/\/www.nytimes.com\/2018\/03\/04\/technology\/telegram-initial-coin-offering.html\">said<\/a> Nick Tomaino of virtual currency investment fund 1confirmation<a class=\"sdendnoteanc\" href=\"#sdendnote1sym\" name=\"sdendnote1anc\"><\/a>.<\/p>\n<p>The crypto VCs probably read the December 2017 Telegram Open Network <a href=\"https:\/\/drive.google.com\/file\/d\/1lqVlrgiztnA5dkOHP7-ENDKT1FgZuCUV\/view\">technical white paper<\/a> (<a href=\"https:\/\/www.docdroid.net\/zGNtmKk\/ton-technology.pdf\">archive<\/a>). This was written by VKontakte and Telegram technical co-founder Nikolai Durov, brother of Pavel \u2014 a mathematician, with two doctorates.<\/p>\n<p>The white paper is 132 pages of unsupported promises, and blatant cribs from early Ethereum ideas that didn\u2019t work out.<\/p>\n<p>The\u00a0 paper offers:<\/p>\n<blockquote><p>a fast, secure and scalable blockchain and network project, capable of handling millions of transactions per second if necessary &#8230; We aim for it to be able to host all reasonable applications currently proposed and conceived.<\/p><\/blockquote>\n<p>TON is supposed to be a public blockchain network, dealing in money. So the two <em>overwhelmingly<\/em> important questions\u00a0\u2014 overshadowing every other detail\u00a0\u2014 become:<\/p>\n<ol>\n<li>how secure is this against a well-funded attacker?<\/li>\n<li>how does the network stay decentralised?<\/li>\n<\/ol>\n<p>The word &#8220;security&#8221; appears <em>once<\/em> in the entire paper; the word &#8220;threat,&#8221; not at all.<\/p>\n<p>And if it won&#8217;t stay decentralised \u2014 there&#8217;s not really any point in using a blockchain.<\/p>\n<p>But first \u2014 how will Telegram achieve all three of &#8220;fast, secure and scalable&#8221;?<\/p>\n<p>Quite a lot of the technical white paper is ideas that Ethereum already rejected\u00a0\u2014 it&#8217;s like Durov read Vitalik Buterin&#8217;s <a href=\"https:\/\/vitalik.ca\/general\/2017\/09\/14\/prehistory.html\">&#8220;Prehistory of the Ethereum Protocol&#8221;<\/a> and went &#8220;ha, that&#8217;ll be easy.&#8221;<\/p>\n<p>Ethereum is currently working on how to separate transaction processing into multiple sub-blockchains, called <a href=\"https:\/\/github.com\/ethereum\/wiki\/wiki\/Sharding-FAQ\">&#8220;shards&#8221;<\/a>\u00a0\u2014 a term <a href=\"https:\/\/en.wikipedia.org\/wiki\/Shard_(database_architecture)\">adopted from databases<\/a>\u00a0\u2014 and reconcile transactions while maintaining cryptographic guarantees. This is how they hope to scale up Ethereum&#8217;s transaction rate.<\/p>\n<p>TON is conceived as a pile of shards, from the ground up \u2014 think in terms of one blockchain per account, then work out how to reconcile all of these. This is what Durov calls the &#8220;infinite sharding paradigm.&#8221;<\/p>\n<p>There&#8217;s a master blockchain, and up to 2<sup>32<\/sup> &#8220;workchains&#8221; hanging off it, as <a href=\"https:\/\/bitcoinmagazine.com\/articles\/sidechains-why-these-researchers-think-they-solved-key-piece-puzzle\/\">sidechains.<\/a> Each workchain can have 2<sup>60<\/sup> &#8220;shardchain&#8221; sidechains hanging off it.<\/p>\n<p>Each shardchain is responsible for a small number of addresses; shards can branch or merge depending on the processing load its addresses cause. Each block in a shardchain can be replaced if found to be invalid. The masterchain contains hashes of all blocks of all shardchains.<\/p>\n<p>This all just assumes the validity of shardchain block generation\u00a0\u2014 there&#8217;s no mention of financially-interested outside attackers.<\/p>\n<p>One obvious attack comes from section 2.4.19 \u2014 to avoid a flood of messages, &#8220;each shard is &#8216;connected&#8217; only to shards differing in exactly one hexadecimal digit of their (w, s) shard identifiers.&#8221; So, to attack a high-value shard, just compromise enough of its surrounding shards. Thus, high-value shards will need to buy a &#8220;moat&#8221; of their adjacent shards.<\/p>\n<p>Sidechains and shards and so on could work just fine in a world with no hostile attackers\u00a0\u2014 but that&#8217;s not the world we live in.<\/p>\n<p>Anyone can stack up chains of chains of chains like Lego bricks \u2014 but we&#8217;re interested in what happens when someone comes at it with a hammer.<\/p>\n<p>Remember that <em>none of this exists.<\/em> The white paper is not a detailed explanation of a live working system\u00a0\u2014 this was <em>all hypothetical,<\/em> even if the white paper consistently uses the present tense, as if this was and is a thing.<\/p>\n<p>At best, this is how Durov thinks his unimplemented system will work\u00a0\u2014 there are bursts of ridiculously low-level detail, and other bits are handwaved, or conspicuously absent.<\/p>\n<p>Section 2.6 is how the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Proof-of-stake\">Proof-of-Stake<\/a> system will work. This is how TON claims to solve the Blockchain Trilemma of being fast, decentralised and secure:<\/p>\n<blockquote><p>The TON Blockchain ultimately consists of shardchain and masterchain blocks. These blocks must be created, validated and propagated through the network to all parties concerned, in order for the system to function smoothly and correctly.<\/p><\/blockquote>\n<p>There are 100 validators in any given month, elected according to stake. Nominators can lend capital to validators to achieve stake.<\/p>\n<blockquote><p>this nominating or lending system enables one to become a validator without investing a large amount of money into Grams (TON coins) first. In other words, it prevents those keeping large amounts of Grams from monopolizing the supply of validators.<\/p><\/blockquote>\n<p>Presumably this is their answer to the Proof-of-Stake centralisation failure mode &#8220;thems what has, gets&#8221;\u00a0\u2014 where having money means you&#8217;re better-placed to get more money. But Durov just states the claim that it prevents a monopoly\u00a0\u2014 he doesn&#8217;t show how this follows, at all.<\/p>\n<p>Section 2.6.25 is TON&#8217;s promise of decentralisation. It explicitly contrasts TON with Bitcoin and Ethereum, which run <a href=\"https:\/\/en.wikipedia.org\/wiki\/Proof-of-work_system\">Proof-of-Work,<\/a> which \u2014 apart from being a <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/05\/22\/bitcoins-stupendous-power-waste-is-green-apparently-bad-excuses-for-proof-of-work\/\">horrifying and reprehensible waste of power and CO<sub>2<\/sub> generator<\/a> \u2014 has centralised due to economies of scale: the bigger you are, the more efficiently you can mine Bitcoin or Ethereum. TON uses a nominator system:<\/p>\n<blockquote><p>In fact, the parameter L of 2.6.7 will force nominators not to join the largest \u201cmining pool\u201d (i.e., the validator that has amassed the largest stake), but rather to look for smaller validators currently accepting funds from nominators, or even to create new validators, because this would allow a higher proportion s&#8217;<sub>i<\/sub>\/s<sub>i<\/sub> of the validator\u2019s \u2014 and by extension also the nominator\u2019s \u2014 stake to be used, hence yielding larger rewards from mining. In this way, the TON Proof-of-Stake system actually encourages decentralization (creating and using more validators) and punishes centralization.<\/p><\/blockquote>\n<p>&#8230; and that&#8217;s it. Durov presents no evidence that the system will work in practice how he hopes. No threat models, no possible failure modes, nor any failure modes discovered in <a href=\"https:\/\/github.com\/ethereum\/wiki\/wiki\/Proof-of-Stake-FAQs\">Ethereum&#8217;s years of work<\/a> on a Proof-of-Stake system.<\/p>\n<p>What stops individual large nominators backing a huge percentage of validators? As we see with crypto mining company Bitmain running multiple &#8220;separate&#8221; Bitcoin mining pools, often adding up to over 50%.<\/p>\n<p>&nbsp;<\/p>\n<p>https:\/\/twitter.com\/ncweaver\/status\/1078682328866598912<\/p>\n<p>&nbsp;<\/p>\n<p>There&#8217;s massive quantities of intricate detail here on how all of this is going to work. But none of this existed when it was written. It&#8217;s non-empirical reasoning from first principles about a hypothetical system.<\/p>\n<p><em>Why<\/em> is this a good system? Why these <em>particular<\/em> choices? What are the alternatives? Why is it more than just you making up a PoS system off the top of your head?<\/p>\n<p>Section 2.8 discusses types of blockchains. This sort of answers a bit of &#8220;why,&#8221; but only on the broadest level\u00a0\u2014 not why Durov made these particular decisions.<\/p>\n<p>Durov is ridiculously smart. He has two Ph.Ds in mathematics. He&#8217;s recruiting seriously talented mathematicians to work on TON.<\/p>\n<p>I&#8217;m pretty sure Durov is confident nobody could outsmart him here \u2014 he&#8217;s thought about it really hard, after all.<\/p>\n<p>But it&#8217;s an empirical problem, not just a maths problem. Pure reason from first principles is not enough \u2014 you need twisty weasels kicking your system and thinking of ways around your security. I can&#8217;t see any evidence of this in the paper.<\/p>\n<p>Durov was technical architect for VKontakte and Telegram, so he should know this is missing.<\/p>\n<p>Section 2.9 outlines a hierarchy of blockchain projects, and calls TON &#8220;the first fifth-generation blockchain project.&#8221; I would say TON is zeroth generation, because it <em>doesn&#8217;t exist.<\/em><\/p>\n<p>Section 2.9.13: &#8220;Is it possible to &#8216;upload Facebook into a blockchain&#8217;?&#8221; \u2014 this is the worst section heading I&#8217;ve ever seen in a white paper, and I&#8217;ve seen some doozies. I&#8217;m glad their answer is <em>mostly<\/em> &#8220;no.&#8221;<\/p>\n<p>The rest of the paper details other parts of the network \u2014 TON Storage (like IPFS), TON Proxy (like TOR), TON Services (user and app interface), TON DNS, and TON Payments (a Lightning-style channel network). These are a similar blend of low-level querulous detail and high-level handwaving.<\/p>\n<p>Investors spent one point seven billion actual US dollars on this thing \u2014 so the white paper was certainly up to <i>that<\/i> task.<\/p>\n<p>&nbsp;<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">&quot;Isn&#39;t this infinitely scalable file sharing social network idea amazing?!&quot; <br \/>&quot;yeah&#8230;but, the technology it&#39;s based on is predicated on algorithms that don&#39;t scale because&#8230;.&quot;<br \/>&quot;STOP SPREADING FUD YOU JUST DON&quot;T WANT NICE THINGS&quot;<\/p>\n<p>&mdash; Sarah Jamie Lewis (@SarahJamieLewis) <a href=\"https:\/\/twitter.com\/SarahJamieLewis\/status\/1078450584213045250?ref_src=twsrc%5Etfw\">December 28, 2018<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>&nbsp;<\/p>\n<h3>Telegram Passport<\/h3>\n<p>Part of the TON plan\u00a0\u2014 at least per the Primer\u00a0\u2014 is an identity system offering &#8220;External Secure IDs.&#8221; <a href=\"https:\/\/telegram.org\/blog\/passport\">Telegram Passport<\/a> was released in July 2018.<\/p>\n<p>Telegram Passport will let you fulfill KYC (Know Your Customer) requirements for crypto offerings. You upload your passport, driver&#8217;s license, bank statements, rental agreements, and so on \u2014 and you can provide these to services that want to see them.<\/p>\n<p>You trust that Telegram know what they&#8217;re doing with securing your most sensitive personal and financial data.<\/p>\n<p>Unfortunately, it had <a href=\"https:\/\/virgilsecurity.com\/telegram-passport-vulnerability\/\">a number of problems.<\/a> Specifically, the trouble with roll-your-own cryptography is that you&#8217;ll discover why everyone says never to roll your own cryptography:<\/p>\n<ul>\n<li>Your data is protected only with a password, hashed with salted SHA-512. In 2018, this costs a <em>maximum<\/em> of $135 per password to brute-force the entire space of eight-character passwords.<\/li>\n<li>Telegram generates its own key for data encryption \u2014 but it turns out their roll-your-own cryptography generates keys where the sum of all bytes is always divisible by 239. This cuts 7 to 8 bits off the brute-force search space.<\/li>\n<\/ul>\n<p>But all the millions of Telegram users will use passwords longer than eight characters \u2014 right?<\/p>\n<h3>September 2018 TON progress report<\/h3>\n<p>In September 2018, TON issued a <a href=\"https:\/\/www.theblockcrypto.com\/2018\/11\/21\/we-got-our-hands-on-an-investor-update-for-telegrams-blockchain-project-and-can-confirm-russian-reports-that-say-its-70-done\/\">progress report<\/a> for investors, claiming the project was &#8220;70%&#8221; toward the test network \u2014 TON Virtual Machine 95% complete, TVM documentation 95%, TON network protocols 80-100%, TON blockchain validation 10-50%.<\/p>\n<p>Completion percentages of this sort are deceptive. Telegram don&#8217;t make it clear at all how they&#8217;re measuring this. For instance, in the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Scrum_(software_development)\">scrum process,<\/a> it <em>might<\/em> mean percentage of &#8220;stories&#8221; completed in a given &#8220;epic.&#8221; But 90% of your stories being done doesn&#8217;t at all mean there&#8217;s only 10% more work to go before release.<\/p>\n<p>The 5 September 2018 technical papers are &#8220;Telegram Open Network Blockchain&#8221; (<a href=\"https:\/\/docdro.id\/qY4sQEv\">archive<\/a>) and &#8220;Telegram Open Network Virtual Machine&#8221; (<a href=\"https:\/\/docdro.id\/R3vEKBY\">archive<\/a>).<\/p>\n<p>The TON paper goes into hyperspecific detail about message passing algorithms, the layout of data within the blocks, and so on. I think they wrote this by taking what software they&#8217;d written so far, and describing it mathematically. The TVM paper is much the same.<\/p>\n<p>That&#8217;s fine \u2014 but both papers conspicuously fail to address our two crucial questions: <em>(a)<\/em> are we secure, and <em>(b)<\/em> how do we stay decentralised?<\/p>\n<p>The new papers have <em>nothing<\/em> on validation, resolving disagreements, security, threat models, or how this thing stays decentralised.<\/p>\n<p>We know precisely how creative attackers get when there&#8217;s anything even slightly resembling money at stake. You can&#8217;t treat security as a thing you bolt onto a system later\u00a0\u2014 but it looks a lot like that&#8217;s what they&#8217;re doing.<\/p>\n<h3>What will Telegram end up with?<\/h3>\n<p>Telegram is on a deadline here \u2014 they have until October 2019 to get a suitable network running, or they have to give the ICO money back.<\/p>\n<p>So \u2014 how can they most easily fulfill the conditions of delivery?<\/p>\n<p>A copy of the SAFT document hasn&#8217;t leaked, so we don&#8217;t know the precise conditions they need to meet to avoid a refund. But at the very least, Telegram need to provide a network that you can move Gram tokens over. I expect they&#8217;ll need to add a Gram wallet to the Telegram Messenger app. They may have promised smart contract functionality as well.<\/p>\n<p>But I doubt they promised their investors complete &#8220;decentralisation,&#8221; to the standards of cryptocurrency advocates.<\/p>\n<p>The simplest <a href=\"https:\/\/en.wikipedia.org\/wiki\/Minimum_viable_product\">minimum viable product<\/a> would be a distributed system with centralised administration of critical parts. Once you don&#8217;t bother with being 100% decentralised\u00a0\u2014 and have a trusted human institution in there keeping an eye on the hardest parts\u00a0\u2014 it all gets a lot easier.<\/p>\n<p>So, I&#8217;d guess that&#8217;s what Telegram will release \u2014 they&#8217;ll say &#8220;decentralised&#8221; a lot, to try to abrogate responsibility, but they&#8217;ll control key parameters, to keep the thing from catching fire.<\/p>\n<p>This is how practical smart contracts work on Ethereum right now\u00a0\u2014 because Decentralised Autonomous Organisations (DAOs) turned out to be a <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/the-dao\/\">dumb and bad idea.<\/a> Even the Ethereum white paper recommends that you include update functionality in your smart contracts. That doesn&#8217;t stop ICO promoters from saying &#8220;decentralised!&#8221; for a second, of course.<\/p>\n<p>Ripple&#8217;s XRP token is hugely popular with crypto traders, and it&#8217;s centrally controlled by Ripple Labs \u2014 it turns out the market doesn&#8217;t care about your ideology, only its own. EOS is <a href=\"https:\/\/www.theblockcrypto.com\/2018\/12\/07\/why-do-we-take-eos-seriously-when-its-clearly-a-plutocracy\/\">functionally centralised<\/a> too. Even Bitcoin had <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/05\/22\/bitcoins-stupendous-power-waste-is-green-apparently-bad-excuses-for-proof-of-work\/\">recentralised by 2014.<\/a><\/p>\n<p>As I&#8217;ve <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/05\/13\/ethereum-casper-only-has-to-work-well-enough-worse-is-better-in-action\/\">said previously<\/a>\u00a0\u2014 I&#8217;m pretty sure that if Ethereum ever gets its Casper Proof-of-Stake mechanism into production, Ethereum will also rapidly centralise \u2014 thus leading to a more stable platform for the businesses running on it.<\/p>\n<p>If TON goes this way, it won&#8217;t matter\u00a0\u2014 businesses are quite used to working on an open-but-owned platform. It&#8217;ll be rather less than the promises \u2014 but nobody using or developing for TON will be worried, as long as it more or less works.<\/p>\n<p>And even if TON dies soon after launch \u2014 Telegram keeps the money.<\/p>\n<hr \/>\n<p><em><strong>Update: <\/strong>hello, new readers! If you were on my <a href=\"http:\/\/patreon.com\/davidgerard\/overview\">Patreon<\/a> \u2014 you&#8217;d have seen this post yesterday. Please <a href=\"http:\/\/patreon.com\/davidgerard\/overview\">sign up<\/a> to support this work!<\/em><\/p>\n<br><br><div align=\"center\"><p><a href=\"https:\/\/www.patreon.com\/bePatron?u=8420236\"><img src=\"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2021\/10\/become_a_patron_button.svg\" alt=\"Become a Patron!\" title=\"Become a Patron!\" width=217 height=51><\/a><br><p style=\"align:center;\" class=\"patreon-badge\"><i>Your subscriptions keep this site going. <a href=\"https:\/\/www.patreon.com\/bePatron?u=8420236\">Sign up today!<\/a><\/i><\/p><\/div>","protected":false},"excerpt":{"rendered":"<p>I\u2019m pretty sure Nikolai Durov is confident nobody could outsmart him here \u2014 he\u2019s thought about it really hard, after all. But what happens when someone comes at the Telegram Open Network with a hammer?<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[1098,9,1099,189,1096,1097],"class_list":["post-11452","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-gram","tag-ico","tag-nikolai-durov","tag-saft","tag-telegram","tag-ton"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/11452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/comments?post=11452"}],"version-history":[{"count":111,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/11452\/revisions"}],"predecessor-version":[{"id":12743,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/11452\/revisions\/12743"}],"wp:attachment":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media?parent=11452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/categories?post=11452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/tags?post=11452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}