Security Audit: Proof of Capital
We've completed our security assessment of the Proof of Capital protocol - a market-making smart contract that protects interests of all holders.
Full report: [link]
We've completed our security assessment of the Proof of Capital protocol - a market-making smart contract that protects interests of all holders.
Full report: [link]
proofofcapital.org
Proof of Capital
Technology for ensuring the value of digital assets
๐ Misti 0.7 has just landed on NPM!
๐ More Tact Detectors: StateMutationInGetter, UnprotectedCall and SuspiciousLoop.
โก Tact 1.6.1 support: Including new language syntax and features.
โ๏ธ Improved Tools: Added more Callgraph functionality to enhance contracts audits.
๐ง Fixes & Enhancements: Check out the full changelog.
๐ More Tact Detectors: StateMutationInGetter, UnprotectedCall and SuspiciousLoop.
โก Tact 1.6.1 support: Including new language syntax and features.
โ๏ธ Improved Tools: Added more Callgraph functionality to enhance contracts audits.
๐ง Fixes & Enhancements: Check out the full changelog.
nowarp.io
Misti
TON Static Analyzer
TON Security Risks: A Static Analysis Perspective
A new blog post dives into security risks in TON, with a focus on automated security tools. It argues for using static program analysis in audits and shows examples of bugs that tools like Misti can catch.
A new blog post dives into security risks in TON, with a focus on automated security tools. It argues for using static program analysis in audits and shows examples of bugs that tools like Misti can catch.
nowarp.io
TON Security Risks: A static analysis perspective | Misti
Smart contracts are unforgiving. A single bug can vaporize millions of dollars. If you're coming from web development, forget everything you know about "move fast and break things" - here, breaking things means actually breaking things. With money. Real money.
๐ Misti 0.8 has just landed on NPM!
โก๏ธ More Detectors: New detectors to find possible optimizations introduced in Tact 1.6: SuboptimalSend, PreferBinaryReceiver, PreferSenderFunction, ImplicitOpcode and SuboptimalCellOperation.
โ๏ธ Improved Integrability: Standartized JSON output for smoother integration.
๐ฉโ๐ป LSP Actions Support: Misti now provides API for LSP code actions, introducing quickfix suggestions for some detectors.
๐ง Fixes & Enhancements: Check out the full changelog.
โ๏ธ Improved Integrability: Standartized JSON output for smoother integration.
๐ง Fixes & Enhancements: Check out the full changelog.
Please open Telegram to view this post
VIEW IN TELEGRAM
nowarp.io
Misti
TON Static Analyzer
Misti 0.8.1 has just been released.
๐ง This patch release introduces Tact 1.6.6 support and includes minor changes and fixes. Check out the full changelog.
๐ง This patch release introduces Tact 1.6.6 support and includes minor changes and fixes. Check out the full changelog.
nowarp.io
Misti
TON Static Analyzer
๐ง Announcing: OCaml library for FunC parsing: nowarp/ocaml-func
For developers working with FunC, this library provides AST and parser functionality.
For developers working with FunC, this library provides AST and parser functionality.
GitHub
GitHub - nowarp/ocaml-func: OCaml library providing AST and parser for FunC
OCaml library providing AST and parser for FunC. Contribute to nowarp/ocaml-func development by creating an account on GitHub.
Check out our first thread for an overview of Misti: https://x.com/nowarp_io/status/1921501042534908240
Please open Telegram to view this post
VIEW IN TELEGRAM
X (formerly Twitter)
nowarp (@nowarp_io) on X
1/ ๐ก Misti is an open-source static analyzer for @ton_blockchain contracts written in @tact_language: https://t.co/AcjQZdLhrh
Let's explore its capabilities ๐๐ป
Let's explore its capabilities ๐๐ป
๐ Introducing Scanner: Mass Static Analysis for TON Smart Contracts
We've released a demo showcasing our static analysis tooling for TON contracts.
๐ Features:
- ~20 curated contracts with zero vulnerabilities
- Detailed analysis results
- Great for learning Tact development best practices and exploring the tooling capabilities
๐ก๏ธ We scan everything for research but only display clean contracts without vulnerabilities publicly.
๐ Check it out: https://nowarp.io/tools/scanner/
We've released a demo showcasing our static analysis tooling for TON contracts.
๐ Features:
- ~20 curated contracts with zero vulnerabilities
- Detailed analysis results
- Great for learning Tact development best practices and exploring the tooling capabilities
๐ก๏ธ We scan everything for research but only display clean contracts without vulnerabilities publicly.
๐ Check it out: https://nowarp.io/tools/scanner/
nowarp.io
Misti
TON Smart Contract Scanner
๐Misti 0.9 has just landed on NPM!
โก๏ธ More Detectors: New Tact detectors: DuplicatedImport, TransitiveImport, RedundantBooleanExpression, UnusedMethodArgument and PreferGlobalFunction.
๐ฅ Improved Github Actions integration: Better user experience via SARIF output format support.
๐ Custom Tools: Misti now enables users to write Custom Tools, just like Custom Detectors.
๐งFixes & Enhancements: Check out the full changelog.
๐ Custom Tools: Misti now enables users to write Custom Tools, just like Custom Detectors.
๐งFixes & Enhancements: Check out the full changelog.
Please open Telegram to view this post
VIEW IN TELEGRAM
Skry: Hybrid LLM Static Analysis for Sui Move contracts
The tool is static analysis-first and uses LLMs only for constrained semantic classification, focused around access control, governance, and centralization risks non-detectable by pure static analysis.
This is a proof-of-concept tool showing the approach is viable.
Blog post: nowarp.io/blog/skry
Source code: github.com/nowarp/skry
The tool is static analysis-first and uses LLMs only for constrained semantic classification, focused around access control, governance, and centralization risks non-detectable by pure static analysis.
This is a proof-of-concept tool showing the approach is viable.
Blog post: nowarp.io/blog/skry
Source code: github.com/nowarp/skry
100+ compiler bugs found across 5 smart-contract compilers โ Sui Move, Cairo, Solang, Solidity, and Leo โ in a fresh blog post on compiler fuzzing. Only bugs in later compilation passes are reported; no malformed-input crashes.
The post shares experience, heuristics, and an overview of approaches for setting up a low-effort fuzzing workflow to test compiler implementations. Part 1 focuses only on ICE.
What the post covers:
โข Designing and configuring the fuzzing harness for grammar-aware fuzzing
โข A new tree-sitter-based grammar-aware mutator that works with any tree-sitter grammar
โข Adopting MetaMut-style mutations: 700โ1000 language-specific mutation operations per target, from a few prompts
โข Corpus collection, generation, and minimization
โข Dictionary construction
โข LLM-assisted triage โ deduplication, minimization, reporting
Three open-source utilities published, plus the complete Sui Move fuzzing harness with 884 custom mutators.
https://nowarp.io/blog/compiler-testing-part-1
The post shares experience, heuristics, and an overview of approaches for setting up a low-effort fuzzing workflow to test compiler implementations. Part 1 focuses only on ICE.
What the post covers:
โข Designing and configuring the fuzzing harness for grammar-aware fuzzing
โข A new tree-sitter-based grammar-aware mutator that works with any tree-sitter grammar
โข Adopting MetaMut-style mutations: 700โ1000 language-specific mutation operations per target, from a few prompts
โข Corpus collection, generation, and minimization
โข Dictionary construction
โข LLM-assisted triage โ deduplication, minimization, reporting
Three open-source utilities published, plus the complete Sui Move fuzzing harness with 884 custom mutators.
https://nowarp.io/blog/compiler-testing-part-1
A 20-year-old JDK bug, reincarnated in Tolk
I was experimenting with approaches and techniques to find miscompilation errors. Not crashes โ those are the easy ones. This time โ the Ethereum ecosystem. Every codebase there has been audited to death; bug-hunting is desperate, and each find I made was complicated.
So I tried a similar approach on TON, with the latest Tolk compiler. Just for fun. It took about 30 minutes to vibecode a ~500-line script based on hands-on experience. A deterministic and boring script. Only SMT and Python. No LLM in the loop.
Results are interesting. Two hours running. A few ICEs. A couple of real arithmetic miscompiles users can hit. But the best find โ the ghost of a 20-year-old JDK bug, alive in the Tolk codebase.
Just look at this example:
Math says
FunC compiles the same source correctly with
Maybe that's an easter egg as a tribute to a famous bug. But I would prefer boring and well-audited tech with security guarantees over marketing. The compiler isn't bad, just young. Pick the stack that keeps "dudes with Python scripts" out of your threat model.
I was experimenting with approaches and techniques to find miscompilation errors. Not crashes โ those are the easy ones. This time โ the Ethereum ecosystem. Every codebase there has been audited to death; bug-hunting is desperate, and each find I made was complicated.
So I tried a similar approach on TON, with the latest Tolk compiler. Just for fun. It took about 30 minutes to vibecode a ~500-line script based on hands-on experience. A deterministic and boring script. Only SMT and Python. No LLM in the loop.
Results are interesting. Two hours running. A few ICEs. A couple of real arithmetic miscompiles users can hit. But the best find โ the ghost of a 20-year-old JDK bug, alive in the Tolk codebase.
Just look at this example:
const RANGE_LO: int = 1000000000000000;
const RANGE_HI: int = 3000000000000000;
const MID: int = (RANGE_LO + RANGE_HI) >> 1;
// Intended identity: MID > (MID - a) iff a > 0
fun isPositive(a: int): bool {
return MID > (MID - a);
}
Math says
isPositive(-1) == false. Tolk says true. The optimizer cancels MID from the rhs subtraction but forgets the lhs, so the test silently becomes MID > -a:isPositive() PROC:<{ // a
MID PUSHINT
SWAP
NEGATE // -a
GREATER // MID > -a (NOT MID > MID - a)
...
}>FunC compiles the same source correctly with
SUB in place: check it here.(low + high) >> 1 is exactly the midpoint idiom โ Bloch's canonical "safe" replacement for JDK-6412541. Twenty years later, the same pattern lives on in a smart-contract compiler.Maybe that's an easter egg as a tribute to a famous bug. But I would prefer boring and well-audited tech with security guarantees over marketing. The compiler isn't bad, just young. Pick the stack that keeps "dudes with Python scripts" out of your threat model.
Google Research
Extra, Extra - Read All About It: Nearly All Binary Searches and Mergesorts are Broken
Posted by Joshua Bloch, Software EngineerI remember vividly Jon Bentley's first Algorithms lecture at CMU, where he asked all of us incoming Ph.D. ...