HelpBlogCommunity🍌 PromptsNEWRulesWorkflowsAgent SkillsMCPsAdvertise
ENEnglishESEspañolZH中文JA日本語DEDeutschPTPortuguêsRUРусский
Back to Security & Vulnerability Analysis

ton-vulnerability-scanner

TONFunCsmart contractsblockchain securityvulnerability scannercode auditJettondApp security
5.7k📄 CC-BY-SA-4.0🕒 2026-06-15Source ↗

Install this skill

npx skills add trailofbits/skills

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

The TON vulnerability scanner provides automated static analysis for smart contracts written in FunC or Tact. Because TON architecture uses an asynchronous message-passing model, standard EVM-based security practices are often insufficient. This agent inspects contract source files to identify common pitfalls inherent to the TON Virtual Machine, such as incorrect gas management during cross-contract calls, failures in sender address verification, and improper implementation of Jetton token notification handlers. By scanning for these specific FunC patterns, the tool helps developers catch critical bugs like replay attacks, integer overflows, and potential contract drainage issues before deployment. It serves as a specialized audit layer that evaluates message flow logic, storage layout validation, and gas forwarding parameters against known TON security standards to ensure contract integrity in the asynchronous ecosystem.

When to Use This Skill

  • Auditing custom Jetton token contracts before mainnet launch
  • Reviewing cross-contract interaction logic for gas drainage vulnerabilities
  • Verifying security implementation in FunC-based staking or DeFi protocols
  • Checking new contract code for basic replay protection omissions

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

  • Audit my TON smart contract for security flaws
  • Check my FunC contract for potential vulnerabilities
  • Run a vulnerability scan on the contracts in this project
  • Analyze my Jetton token implementation for missing sender checks
  • Does my TON contract have any gas handling issues?

Pro Tips

  • 💡Combine with manual code reviews for a holistic security assessment, as automated tools might miss subtle logic flaws.
  • 💡Prioritize fixing vulnerabilities flagged by this scanner before any mainnet deployment, especially those related to asset handling.
  • 💡Integrate this scanning step into your CI/CD pipeline for continuous security checks on your FunC codebase.

What this skill does

  • Identifies missing sender validation in transfer_notification handlers
  • Detects unchecked arithmetic risks specific to FunC
  • Audits gas reservation logic for outgoing messages
  • Validates correct usage of boolean logic operators (~, &, |)
  • Analyzes message parsing structures for potential serialization errors

When not to use it

  • When auditing contracts written in languages outside the TON ecosystem
  • For performing deep, formal verification proofs of complex economic models
  • When you require a full-scale professional audit for regulatory compliance

Example workflow

  1. Detect the FunC contract structure within the active project directory
  2. Parse the code to locate entry points like recv_internal and recv_external
  3. Execute pattern matching against known TON-specific vulnerability signatures
  4. Evaluate message handlers for proper sender and value verification
  5. Generate a summary report detailing the file location and severity of each finding
  6. Propose specific code adjustments to remediate identified security risks

Prerequisites

  • A project initialized with TON Blueprint or toncli
  • Source code available in .fc, .func, or .tact files

Pitfalls & limitations

  • !Cannot replace a full manual security audit by specialized blockchain engineers
  • !May produce false positives on non-standard, custom contract patterns
  • !Limited effectiveness if the contract logic relies heavily on complex off-chain interaction

FAQ

Does this tool support Tact contracts?
Yes, it supports analyzing both FunC and Tact files, focusing on platform-specific security patterns.
Can this scanner automatically fix the bugs it finds?
It provides targeted code suggestions and remediation strategies, though manual verification of the suggested fixes is required.
What is the most critical pattern this tool checks?
It prioritizes checking for missing sender address validation, which is a frequent cause of unauthorized operation exploits on TON.

How it compares

Unlike general-purpose static analysis tools that look for generic code smells, this scanner is specifically tuned to the unique asynchronous message architecture and FunC-specific gas management of the TON blockchain.

Source & trust

5.7k stars📄 CC-BY-SA-4.0🕒 Updated 2026-06-15
📄 Full skill instructions — original source: trailofbits/skills
# TON Vulnerability Scanner

## 1. Purpose

Systematically scan TON blockchain smart contracts written in FunC for platform-specific security vulnerabilities related to boolean logic, Jetton token handling, and gas management. This skill encodes 3 critical vulnerability patterns unique to TON's architecture.

## 2. When to Use This Skill

- Auditing TON smart contracts (FunC language)
- Reviewing Jetton token implementations
- Validating token transfer notification handlers
- Pre-launch security assessment of TON dApps
- Reviewing gas forwarding logic
- Assessing boolean condition handling

## 3. Platform Detection

### File Extensions & Indicators
- **FunC files**: .fc, .func

### Language/Framework Markers
;; FunC contract indicators
#include "imports/stdlib.fc";

() recv_internal(int my_balance, int msg_value, cell in_msg_full, slice in_msg_body) impure {
    ;; Contract logic
}

() recv_external(slice in_msg) impure {
    ;; External message handler
}

;; Common patterns
send_raw_message()
load_uint(), load_msg_addr(), load_coins()
begin_cell(), end_cell(), store_*()
transfer_notification operation
op::transfer, op::transfer_notification
.store_uint().store_slice().store_coins()


### Project Structure
- contracts/*.fc - FunC contract source
- wrappers/*.ts - TypeScript wrappers
- tests/*.spec.ts - Contract tests
- ton.config.ts or wasm.config.ts - TON project config

### Tool Support
- **TON Blueprint**: Development framework for TON
- **toncli**: CLI tool for TON contracts
- **ton-compiler**: FunC compiler
- Manual review primarily (limited automated tools)

---

## 4. How This Skill Works

When invoked, I will:

1. **Search your codebase** for FunC/Tact contracts
2. **Analyze each contract** for the 3 vulnerability patterns
3. **Report findings** with file references and severity
4. **Provide fixes** for each identified issue
5. **Check replay protection** and sender validation

---

## 5. Example Output

When vulnerabilities are found, you'll get a report like this:

=== TON VULNERABILITY SCAN RESULTS ===

Project: my-ton-contract
Files Scanned: 3 (.fc, .tact)
Vulnerabilities Found: 2

---

[CRITICAL] Missing Replay Protection
File: contracts/wallet.fc:45
Pattern: No sequence number or nonce validation


---

## 5. Vulnerability Patterns (3 Patterns)

I check for 3 critical vulnerability patterns unique to TON. For detailed detection patterns, code examples, mitigations, and testing strategies, see [VULNERABILITY_PATTERNS.md](resources/VULNERABILITY_PATTERNS.md).

### Pattern Summary:

1. **Missing Sender Check** ⚠️ CRITICAL - No sender validation on privileged operations
2. **Integer Overflow** ⚠️ CRITICAL - Unchecked arithmetic in FunC
3. **Improper Gas Handling** ⚠️ HIGH - Insufficient gas reservations

For complete vulnerability patterns with code examples, see [VULNERABILITY_PATTERNS.md](resources/VULNERABILITY_PATTERNS.md).
## 5. Scanning Workflow

### Step 1: Platform Identification
1. Verify FunC language (.fc or .func files)
2. Check for TON Blueprint or toncli project structure
3. Locate contract source files
4. Identify Jetton-related contracts

### Step 2: Boolean Logic Review
bash
# Find boolean-like variables
rg "int.*is_|int.*has_|int.*flag|int.*enabled" contracts/

# Check for positive integers used as booleans
rg "= 1;|return 1;" contracts/ | grep -E "is_|has_|flag|enabled|valid"

# Look for NOT operations on boolean-like values
rg "~.*\(|~ " contracts/
For each boolean:
- [ ] Uses -1 for true, 0 for false
- [ ] NOT using 1 or other positive integers
- [ ] Logic operations work correctly

### Step 3: Jetton Handler Analysis
bash
# Find transfer_notification handlers
rg "transfer_notification|op::transfer_notification" contracts/
For each Jetton handler:
- [ ] Validates sender address
- [ ] Sender checked against stored Jetton wallet address
- [ ] Cannot trust forward_payload without sender validation
- [ ] Has admin function to set Jetton wallet address

### Step 4: Gas/Forward Amount Review
bash
# Find forward amount usage
rg "forward_ton_amount|forward_amount" contracts/
rg "load_coins\(\)" contracts/

# Find send_raw_message calls
rg "send_raw_message" contracts/
For each outgoing message:
- [ ] Forward amounts are fixed/bounded
- [ ] OR user-provided amounts validated against msg_value
- [ ] Cannot drain contract balance
- [ ] Appropriate send_raw_message flags used

### Step 5: Manual Review
TON contracts require thorough manual review:
- Boolean logic with ~, &, | operators
- Message parsing and validation
- Gas economics and fee calculations
- Storage operations and data serialization

---

## 6. Reporting Format

### Finding Template
markdown
## [CRITICAL] Fake Jetton Contract - Missing Sender Validation

**Location**: contracts/staking.fc:85-95 (recv_internal, transfer_notification handler)

**Description**:
The transfer_notification operation handler does not validate that the sender is the expected Jetton wallet contract. Any attacker can send a fake transfer_notification message claiming to have transferred tokens, crediting themselves without actually depositing any Jettons.

**Vulnerable Code**:
// staking.fc, line 85
if (op == op::transfer_notification) {
    int jetton_amount = in_msg_body~load_coins();
    slice from_user = in_msg_body~load_msg_addr();

    ;; WRONG: No validation of sender_address!
    ;; Attacker can claim any jetton_amount

    credit_user(from_user, jetton_amount);
}


**Attack Scenario**:
1. Attacker deploys malicious contract
2. Malicious contract sends transfer_notification message to staking contract
3. Message claims attacker transferred 1,000,000 Jettons
4. Staking contract credits attacker without checking sender
5. Attacker can now withdraw from contract or gain benefits without depositing

**Proof of Concept**:
// Attacker sends fake transfer_notification
const attackerContract = await blockchain.treasury("attacker");

await stakingContract.sendInternalMessage(attackerContract.getSender(), {
  op: OP_CODES.TRANSFER_NOTIFICATION,
  jettonAmount: toNano("1000000"), // Fake amount
  fromUser: attackerContract.address,
});

// Attacker successfully credited without sending real Jettons
const balance = await stakingContract.getUserBalance(attackerContract.address);
expect(balance).toEqual(toNano("1000000")); // Attack succeeded


**Recommendation**:
Store expected Jetton wallet address and validate sender:
global slice jetton_wallet_address;

() recv_internal(...) impure {
    load_data();  ;; Load jetton_wallet_address from storage

    slice cs = in_msg_full.begin_parse();
    int flags = cs~load_uint(4);
    slice sender_address = cs~load_msg_addr();

    int op = in_msg_body~load_uint(32);

    if (op == op::transfer_notification) {
        ;; CRITICAL: Validate sender
        throw_unless(error::wrong_jetton_wallet,
            equal_slices(sender_address, jetton_wallet_address));

        int jetton_amount = in_msg_body~load_coins();
        slice from_user = in_msg_body~load_msg_addr();

        ;; Safe to credit user
        credit_user(from_user, jetton_amount);
    }
}


**References**:
- building-secure-contracts/not-so-smart-contracts/ton/fake_jetton_contract
---

## 7. Priority Guidelines

### Critical (Immediate Fix Required)
- Fake Jetton contract (unauthorized minting/crediting)

### High (Fix Before Launch)
- Integer as boolean (logic errors, broken conditions)
- Forward TON without gas check (balance drainage)

---

## 8. Testing Recommendations

### Unit Tests
typescript
import { Blockchain } from "@ton/sandbox";
import { toNano } from "ton-core";

describe("Security tests", () => {
let blockchain: Blockchain;
let contract: Contract;

beforeEach(async () => {
blockchain = await Blockchain.create();
contract = blockchain.openContract(await Contract.fromInit());
});

it("should use correct boolean values", async () => {
// Test that TRUE = -1, FALSE = 0
const result = await contract.getFlag();
expect(result).toEqual(-1n); // True
expect(result).not.toEqual(1n); // Not 1!
});

it("should reject fake jetton transfer", async () => {
const attacker = await blockchain.treasury("attacker");

const result = await contract.send(
attacker.getSender(),
{ value: toNano("0.05") },
{
$$type: "TransferNotification",
query_id: 0n,
amount: toNano("1000"),
from: attacker.address,
}
);

expect(result.transactions).toHaveTransaction({
success: false, // Should reject
});
});

it("should validate gas for forward amount", async () => {
const result = await contract.send(
user.getSender(),
{ value: toNano("0.01") }, // Insufficient gas
{
$$type: "Transfer",
to: recipient.address,
forward_ton_amount: toNano("1"), // Trying to forward 1 TON
}
);

expect(result.transactions).toHaveTransaction({
success: false,
});
});
});
### Integration Tests
typescript
// Test with real Jetton wallet
it("should accept transfer from real jetton wallet", async () => {
// Deploy actual Jetton minter and wallet
const jettonMinter = await blockchain.openContract(JettonMinter.create());
const userJettonWallet = await jettonMinter.getWalletAddress(user.address);

// Set jetton wallet in contract
await contract.setJettonWallet(userJettonWallet);

// Real transfer from Jetton wallet
const result = await userJettonWallet.sendTransfer(
user.getSender(),
contract.address,
toNano("100"),
{}
);

expect(result.transactions).toHaveTransaction({
to: contract.address,
success: true,
});
});
``

---

## 9. Additional Resources

- **Building Secure Contracts**: building-secure-contracts/not-so-smart-contracts/ton/
- **TON Documentation**: https://docs.ton.org/
- **FunC Documentation**: https://docs.ton.org/develop/func/overview
- **TON Blueprint**: https://github.com/ton-org/blueprint
- **Jetton Standard**: https://github.com/ton-blockchain/TEPs/blob/master/text/0074-jettons-standard.md

---

## 10. Quick Reference Checklist

Before completing TON contract audit:

**Boolean Logic (HIGH)**:
- [ ] All boolean values use -1 (true) and 0 (false)
- [ ] NO positive integers (1, 2, etc.) used as booleans
- [ ] Functions returning booleans return -1 for true
- [ ] Boolean logic with ~, &, | uses correct values
- [ ] Tests verify boolean operations work correctly

**Jetton Security (CRITICAL)**:
- [ ] transfer_notification handler validates sender address
- [ ] Sender checked against stored Jetton wallet address
- [ ] Jetton wallet address stored during initialization
- [ ] Admin function to set/update Jetton wallet
- [ ] Cannot trust forward_payload without sender validation
- [ ] Tests with fake Jetton contracts verify rejection

**Gas & Forward Amounts (HIGH)**:
- [ ] Forward TON amounts are fixed/bounded
- [ ] OR user-provided amounts validated: msg_value >= tx_fee + forward_amount
- [ ] Contract balance protected from drainage
- [ ] Appropriate send_raw_message` flags used
- [ ] Tests verify cannot drain contract with excessive forward amounts

**Testing**:
- [ ] Unit tests for all three vulnerability types
- [ ] Integration tests with real Jetton contracts
- [ ] Gas cost analysis for all operations
- [ ] Testnet deployment before mainnet

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

  1. Click "Download" above
  2. In your project, create the directory: .agent/skills/ton-vulnerability-scanner/
  3. Save the file as SKILL.md
  4. The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

  • Claude Code: ~/.claude/skills/trailofbits/skills/ton-vulnerability-scanner/SKILL.md
  • Cursor: ~/.cursor/skills/trailofbits/skills/ton-vulnerability-scanner/SKILL.md
  • Antigravity: ~/.gemini/antigravity/skills/trailofbits/skills/ton-vulnerability-scanner/SKILL.md

🚀 Install with CLI:
npx skills add trailofbits/skills

Read the Master Guide: Mastering Agent Skills

Recommended Rules

View more rules

Next.js Middleware & Edge Functions Expert

Next.jsMiddlewareEdge Functions
You are an expert in Next.js Middleware and Edge Functions. Key Principles: - Use middleware for request/response manipulation - Run logic before req...

Azure Functions & Serverless

AzureFunctionsServerless
You are an expert in Azure Functions and the Azure serverless ecosystem. Key Principles: - Event-driven architecture - Bindings for declarative conne...

Google Cloud Serverless (Run & Functions)

GCPCloud RunCloud Functions
You are an expert in Google Cloud Platform's serverless offerings: Cloud Run and Cloud Functions. Key Principles: - Scale to zero - Container-based (...

Recommended Workflows

View more workflows

Setup Preview Deployments

CI/CDGitHub ActionsDeployment
--- description: Auto-deploy PRs --- 1. **Create GitHub Action**: ```yaml name: Preview on: pull_request: types: [opened, synchr...

Implement Blue-Green Deployment

DeploymentDevOpsZero-Downtime
--- description: Zero-downtime deploys --- 1. **Setup Two Environments**: - Blue: Current (v1.0) - Green: New (v1.1) 2. **Route Traffic Gradua...

React Performance Profiling

ReactPerformanceDebugging
--- description: Identify slow components using React Profiler --- 1. **Install DevTools**: - Install React Developer Tools extension for Chrome/F...

Recommended MCP Servers

View more MCP servers
AgentRPC

AgentRPC

Official

Connect to any function, any language, across network boundaries using [AgentRPC](https://www.agentrpc.com/).

Atono

Atono

Official

Modern product teams connect their AI assistant to Atono to create and update stories, bugs, assignments and fixes.

CloudBase

CloudBase

Official

One-stop backend services for WeChat Mini-Programs and full-stack apps with serverless cloud functions and databases by [Tencent CloudBase](https://tcb.cloud.tencent.com/)

Take It Further

Maximize your productivity with these powerful resources

📋

Define Your Standards

Set up coding standards to ensure this workflow produces consistent, high-quality results.

Browse Rules Library
📖

Master Workflows

Learn how to create custom workflows, use Turbo Mode, and build your automation library.

Complete Guide

How to use this Skill in Claude Code & Cursor

For Claude Code (CLI)

To use this skill in Claude Code, copy the rule content into your project's custom instructions or follow our Add-Skill CLI guide. This ensures Claude follows your standards during every code generation.

For Cursor & Windsurf

For Cursor or Windsurf, individual skills are best used in the "Rules for AI" section. This specific unit helps the agent avoid security & vulnerability analysis issues, leading to cleaner, more efficient code.

Why the skill format matters: the standardized Agent Skills format lets your AI agent load detailed instructions only when they are relevant, keeping your prompt clean while improving results.

Source & attribution

This skill is categorized under Security & Vulnerability Analysis and is published by Trail of Bits, maintained in trailofbits/skills.

← Browse All Agent Skills
Sponsored AI assistant. Recommendations may be paid.