search

ton-society / grants-and-bounties

TON Foundation invites talent to imagine and realize projects that have the potential to integrate with the daily lives of users.
https://ton.org/grants
311 stars 137 forks source link

TonKeeper wallet and Telegram exploits #707

Closed shyguygang closed 2 months ago

shyguygang commented 4 months ago

Summary

I have had issues collecting all kinds of coins. At one point, my wallet had $7000 in it, and then a few minutes later, it didn't. I am required to pay 0.1 TON to checkin, but I keep getting it back? I am farming gems on like everything so I'm not if any or most of those connections have been compromised. I can't bridge, anytime I do, the transaction is burnt. I'm sure there's even more that I don't know about. There's no notcoin pool to farm right now?

Context

This is made possible by tools, so in relation to each of these symptoms, something must be done to the tools to prevent this from happening to anyone else.

References

Tonkeeper wallet Telegram wallet Blum Bithoven TonMoneyBox Place tapswap

I'm doing everything there is.

Estimate suggested reward

Realistically, $50,000 or higher. This is my personal information we're talking about, as well as if I had any funds in this wallet, they'd be removed. This is a serious flaw in design and code. The blockchain transaction history was rolled back. That cannot happen to anyone else.

Gusarich commented 4 months ago

You either confirmed malicious transaction request, or entered the seedphrase somewhere apart from your wallet app.

shyguygang commented 4 months ago

You either confirmed malicious transaction request, or entered the seedphrase somewhere apart from your wallet app.

I am going to have to politely disagree with you there. I back my wallet keys up and keep in a secure folder. I know which transactions are mine and which aren't. I haven't knowingly given my information to anyone else so they can utilize it, so there has to be another explanation. I think that warrants investigation.

delovoyhomie commented 2 months ago

I know which transactions are mine and which aren't. I haven't knowingly given my information to anyone else so they can utilize it, so there has to be another explanation. I think that warrants investigation.

It's possible that you have made a large number of TON Connect connections with various applications, and some of them may have been malicious, sending transaction signing requests that you approved without fully verifying the transaction details.

There's no notcoin pool to farm right now?

As for this matter, there are several liquidity pools available for the NOT/TON and NOT/USDT pairs.