
BitsLab Releases Major Security Research Findings: Comprehensive Insights into 2024 Emerging Public Blockchain Security
TechFlow Selected TechFlow Selected

BitsLab Releases Major Security Research Findings: Comprehensive Insights into 2024 Emerging Public Blockchain Security
The report focuses on four major directions: Move, TON, Bitcoin scaling, and Cosmos appchains, providing detailed analysis from three perspectives: technological innovation, security challenges, and historical security incidents.

The report focuses on four major directions: Move, TON, Bitcoin scaling, and Cosmos appchains. It provides detailed analysis from three perspectives—technological innovation, security challenges, and historical security incidents—offering insights and guidance for investors, developers, and white-hat hackers:

Move Ecosystem (Aptos, Sui, etc.)
The report introduces how the Move language revolutionizes smart contract programming through innovations in resource management, modular design, and built-in security mechanisms, providing an in-depth analysis of the unique features and security architectures of Aptos and Sui.
Originally developed by Facebook (now Meta) for the Diem (Libra) project, the Move language was designed to overcome performance and security bottlenecks in traditional smart contract languages. Move emphasizes explicitness and safety of resources, ensuring controllability of every state transition on the blockchain. This innovative programming language offers several distinct advantages:
Resource Management Model: Move treats assets as resources that cannot be copied or destroyed. This unique model prevents common issues in smart contracts such as double-spending or accidental asset destruction.
Modular Design: Move allows smart contracts to be built in a modular fashion, improving code reusability and reducing development complexity.
High Security: Move includes extensive built-in security checks at the language level, preventing common vulnerabilities such as reentrancy attacks.
In addition, the report reviews typical security incidents involving the Move Virtual Machine and the Aptos network from 2023 to the end of 2024, alerting the community to potential risks such as infinite recursion DoS vulnerabilities and flaws in mempool eviction mechanisms.
Download the report for a detailed review of Move ecosystem security incidents
TON Ecosystem
TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aiming to build a fast, secure, and scalable blockchain platform that provides users with decentralized applications and services. By integrating blockchain technology with Telegram's communication capabilities, TON achieves high performance, strong security, and excellent scalability. It enables developers to build various decentralized applications and offers distributed storage solutions. Compared to traditional blockchain platforms, TON delivers faster processing speeds and higher throughput, utilizing a Proof-of-Stake consensus mechanism.
TON adopts a Proof-of-Stake consensus mechanism and achieves high performance and multifunctionality through its Turing-complete smart contracts and asynchronous blockchain architecture. TON’s lightning-fast and low-cost transactions are supported by a flexible, sharded architecture that allows seamless scaling without sacrificing performance. Dynamic sharding involves initially developing separate shards with specific purposes that can run simultaneously and prevent large-scale backlogs. TON has a block time of 5 seconds and finality in under 6 seconds.
The existing infrastructure is divided into two main components:
● Masterchain: Handles all critical protocol data, including validator addresses and staked coin amounts.
● Workchain: Secondary chains connected to the Masterchain, containing all transaction information and various smart contracts, with each workchain able to have different rules.
The TON Foundation is a DAO operated by the core TON community, providing various forms of support to projects within the TON ecosystem, including developer assistance and liquidity incentive programs. The report details significant progress made by the TON community across multiple areas in 2024 and also reveals recent vulnerabilities where malicious contracts could exhaust virtual machine resources through nested structures, urging continuous strengthening of smart contract security audits.
Download the report for more detailed TON ecosystem content
Bitcoin Scaling Ecosystem
Solutions such as the Lightning Network, Liquid Network, Rootstock (RSK), B² Network, and Stacks—Layer 2 and sidechain protocols—are driving breakthroughs in Bitcoin’s transaction scalability and programmability. The Lightning Network improves transaction efficiency, Liquid Network accelerates institutional transactions, and Rootstock combines security with smart contracts to expand the dApp ecosystem. Additionally, B² Network and Stacks further enhance Bitcoin’s functionality and application scenarios.
The Lightning Network is one of the most mature and widely adopted Layer 2 solutions for Bitcoin. By establishing payment channels, it moves numerous small transactions off-chain, significantly increasing Bitcoin’s transaction speed and lowering fees.

Image source: https://lightning.network/lightning-network-presentation-time-2015-07-06.pdf
Liquid Network is a sidechain running on the open-source Elements blockchain platform, specifically designed for faster transactions among exchanges and institutions. It is governed by a distributed consortium composed of Bitcoin companies, exchanges, and other stakeholders. Liquid uses a two-way peg mechanism to convert BTC into L-BTC and vice versa.

Image source: https://docs.liquid.net/docs/technical-overview
Rootstock, born in 2015, is the longest-running Bitcoin sidechain and launched its mainnet in 2018. Its uniqueness lies in combining Bitcoin’s Proof-of-Work (PoW) security with Ethereum-style smart contracts. As an open-source, EVM-compatible Bitcoin Layer 2 solution, Rootstock provides access to a growing dApp ecosystem and aims for fully trustless operation.
B² Network’s technical architecture consists of two layers: Rollup layer and Data Availability (DA) layer. B² Network aims to redefine user perceptions of Bitcoin’s Layer 2 solutions.
Since launching on mainnet in 2018 under the name Blockstack, Stacks has become a leading Bitcoin Layer 2 solution. Directly connected to Bitcoin, Stacks enables the creation of smart contracts, dApps, and NFTs on Bitcoin, significantly expanding its utility beyond just a store of value. It employs a unique Proof-of-Transfer (PoX) consensus mechanism, directly tying its security to Bitcoin without modifying Bitcoin itself.

Image source: https://docs.stacks.co/stacks-101/proof-of-transfer
Babylon’s vision is to extend Bitcoin’s security to protect the decentralized world. By leveraging three aspects of Bitcoin—its timestamp service, block space, and asset value—Babylon can transfer Bitcoin’s security to numerous Proof-of-Stake (PoS) chains, creating a stronger, unified ecosystem.

While these technologies bring new possibilities to the Bitcoin ecosystem, they also face challenges such as the Lightning Network’s “substitution cycle attack,” UTXO calculation errors, and PoW rollback mechanism risks.
Read the full report for more detailed Bitcoin ecosystem content
Cosmos Appchain Ecosystem
Centered around Tendermint consensus, Cosmos SDK, and IBC cross-chain communication, the Cosmos ecosystem features multiple technological innovations in the design philosophy of an internet of blockchains.
Cosmos’ architecture adopts a Hub-and-Zone model, where the Hub acts as the core node connecting and coordinating multiple Zones (independent blockchains). The key innovations of this architecture include:
Decentralized Governance: Each Zone is an independent, autonomous blockchain that does not rely on a single centralized management node.
Efficient Cross-Chain Connectivity: Through the Hub, Zones can seamlessly communicate and transfer assets across chains, achieving true interoperability.
The report conducts an in-depth analysis of potential security risks in Cosmos appchains—from multi-module call sequences to cross-chain message passing—and draws lessons from controversies surrounding liquid staking modules (LSM) and governance processes, offering warnings and insights for other appchain projects.
Read the full report for more detailed Cosmos appchain ecosystem content
Multi-Year Vulnerability Research Findings
The report comprehensively outlines nine common types of security vulnerabilities in the blockchain industry. These vulnerabilities span multiple technical layers and affect core components across various blockchain ecosystems, covering everything from cross-chain communication to economic model design.
1. L2/L1 Cross-Chain Communication Vulnerabilities: While cross-chain communication enhances interoperability among blockchain ecosystems, its implementation poses many security risks—for example, L2 failing to account for L1 block rollbacks, forged on-chain events, or L2 not verifying whether transactions sent to L1 were successful.
2. Cosmos Appchain Vulnerabilities: As an ecosystem centered on blockchain interoperability, Cosmos allows different blockchains to connect via IBC (Inter-Blockchain Communication Protocol). However, implementation flaws may introduce vulnerabilities such as BeginBlocker and EndBlocker crash bugs, incorrect use of local time, improper use of randomness, and nine other security issues.
3. Bitcoin Scaling Ecosystem Vulnerabilities: Including Bitcoin script construction flaws, vulnerabilities arising from unconsidered derivative assets, and UTXO amount calculation errors.
4. Common Programming Language Vulnerabilities (e.g., infinite loops, infinite recursion, integer overflows, race conditions).
5. P2P Network Vulnerabilities: P2P (peer-to-peer) networks enable direct connections and communications between distributed nodes in blockchain systems. Despite forming the backbone of decentralization, they face common vulnerabilities such as eclipse attacks, lack of trust models, and absence of node quantity limits.
6. DoS Attacks: Including memory exhaustion attacks, disk exhaustion attacks, kernel handle exhaustion attacks, and persistent memory leaks.
7. Cryptographic Vulnerabilities: These compromise data confidentiality and integrity, posing potential threats to system security. Major types include using cryptographically broken hash algorithms, insecure custom hash functions, and hash collisions caused by improper usage.
8. Ledger Security Vulnerabilities: Such as transaction mempool vulnerabilities, block hash collision vulnerabilities, orphan block handling logic flaws, and Merkle tree hash collisions.
9. Economic Model Vulnerabilities: Economic models play a crucial role in blockchain and distributed systems, influencing network incentives, governance structures, and overall sustainability. The economic model vulnerabilities listed in the report require special attention.
Read the full report to learn more about these security vulnerability types
List of Common Attack Surfaces
The report also lists 13 common attack surfaces, each representing a potential entry point for hackers—worthy of heightened attention from developers and project teams:
1. Virtual Machine
2. P2P Node Discovery and Data Synchronization Module
3. Block Parsing Module
4. Transaction Parsing Module
5. Consensus Protocol Module
6. “Other attack surfaces are available in the report”
…
Best Practices for Secure Development
Through rich case studies and offensive-defense practices, the report distills systematic approaches to security defense.
On the security front, the report provides comprehensive recommendations for best practices in chain development, covering block and transaction processing, smart contract virtual machines, logging systems and RPC interfaces, P2P protocol designs resilient to DoS attacks, transport-layer encryption and authentication, fuzzing and static code analysis, and third-party security audit procedures—aiming to deliver clear and actionable security guidance throughout the lifecycle of blockchain projects.
Download the report for detailed secure development best practices
Background of the Report:
At the beginning of 2025, looking back at the past year, blockchain technology has continued to rapidly evolve globally—from transaction processing performance and cross-chain interactions to smart contract languages and node scaling solutions—the entire industry is entering a more diverse and complex new phase. Meanwhile, emerging public blockchain ecosystems have risen swiftly, continuously leading Web3 technological trends and ecological prosperity with flexible network architectures, innovative programming models, and rich application scenarios.
However, security risks continue to emerge. Once exploited through attacks or vulnerabilities, they can lead not only to loss of on-chain assets but also to network paralysis, threatening the stability of the entire blockchain ecosystem. To address this, BitsLab, a globally leading security organization dedicated to safeguarding and building emerging Web3 ecosystems, has released the "2024 Emerging Ecosystem Public Chain Panoramic Observation and Security Research Report", aiming to help industry participants accurately anticipate risks and implement effective protection strategies.
Company Overview
BitsLab has long focused on blockchain and Web3 security, accumulating extensive auditing experience and technical expertise. From the Move ecosystem and TON network to Bitcoin scaling and the Cosmos appchain ecosystem, BitsLab has provided security audits and infrastructure support to numerous blockchain projects. This newly released report represents both the culmination of BitsLab’s ongoing research and practical experience and a professional guide for the broader industry—hoping that more project teams, investment institutions, researchers, and community members will benefit from it, enabling steady progress amid rapid technological evolution and fostering a healthy, sustainable decentralized world built on security.
The "2024 Emerging Ecosystem Public Chain Panoramic Observation and Security Research Report" is now officially available. Interested readers are welcome to obtain the complete version via the official BitsLab website and partner platforms, gaining deep insights into the frontier of blockchain security and joining BitsLab in co-building robust defenses for emerging public chains. Let us together embrace the broader prospects of the Web3 world and advance toward a more prosperous and resilient future for decentralized ecosystems!
Click to read and download the Chinese and English reports
About BitsLab
BitsLab is a security organization committed to protecting and building emerging Web3 ecosystems, aspiring to become a respected leader in Web3 security. It operates three sub-brands: MoveBit, ScaleBit, and TonBit.
BitsLab specializes in infrastructure development and security audits for emerging ecosystems, covering ecosystems such as Sui, Aptos, TON, Linea, BNB Chain, Soneium, Starknet, Movement, Monad, Internet Computer, and Solana. Additionally, BitsLab demonstrates deep expertise in auditing multiple programming languages, including Circom, Halo2, Move, Cairo, Tact, FunC, Vyper, Rust, and Solidity.
The BitsLab team brings together top-tier vulnerability researchers who have won multiple international CTF awards and discovered critical vulnerabilities in well-known projects such as TON, Aptos, Sui, Nervos, OKX, and Cosmos.
Visit the BitsLab official website: https://bitslab.xyz/
Follow BitsLab and its sub-brands on X:
BitsLab: https://x.com/0xbitslab
MoveBit: https://x.com/MoveBit_
ScaleBit: https://x.com/scalebit_
TonBit: https://x.com/tonbit_
Join the official BitsLab Telegram community: https://t.me/BitsLabHQ
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














