The Open Network (TON), designed to support Telegram's extensive user base of hundreds of millions, has garnered considerable attention since its launch in 2022. FunC is the most popular programming language for writing smart contracts on TON. It is distinguished by a unique syntax compared to other smart contract languages. Despite growing interest, research on the practical defects of TON smart contracts is still in its early stages. In this paper, we summarize eight smart contract defects identified from TON's official blogs and audit reports, each with detailed definitions and code examples. Furthermore, we propose a static analysis framework called TONScanner to facilitate the detection of these defects. Specifically, TONScanner reuses FunC compiler's frontend code to transform the FunC source code into FunC intermediate representation (IR) in the form of a directed acyclic graph (DAG). Based on this IR, TONScanner constructs a control flow graph (CFG), then transforms it into a static single assignment (SSA) form to simplify further analysis. TONScanner also integrates Data Dependency, Call Graph, Taint Analysis, and Cell Construct, which are specifically tailored for TON blockchain's unique data structures. These components finally facilitate the identification of the eight defects. We evaluate the effectiveness of TONScanner by applying it to 1,640 smart contracts and find a total of 14,995 defects. Through random sampling and manual labeling, we find that TONScanner achieves an overall precision of 97.49%. The results reveal that current TON contracts contain numerous defects, indicating that developers are prone to making errors. TONScanner has proven its ability to accurately identify these defects, thereby aiding in their correction.

翻译：开放网络（TON）旨在支持Telegram数亿用户的庞大用户群，自2022年推出以来已获得广泛关注。FunC是TON上编写智能合约最流行的编程语言，其语法与其他智能合约语言相比具有独特性。尽管关注度日益增长，针对TON智能合约实际缺陷的研究仍处于早期阶段。本文从TON官方博客与审计报告中总结出八类智能合约缺陷，并为每类缺陷提供了详细定义与代码示例。进一步地，我们提出了一个名为TONScanner的静态分析框架以支持这些缺陷的检测。具体而言，TONScanner复用FunC编译器的前端代码，将FunC源代码转换为有向无环图（DAG）形式的FunC中间表示（IR）。基于该IR，TONScanner构建控制流图（CFG），继而将其转换为静态单赋值（SSA）形式以简化后续分析。TONScanner还集成了数据依赖分析、调用图分析、污点分析与Cell构造分析等组件，这些组件专门针对TON区块链特有的数据结构进行了定制。这些组件最终协同实现了八类缺陷的识别。我们通过对1,640份智能合约应用TONScanner来评估其有效性，共发现14,995个缺陷。通过随机抽样与人工标注验证，TONScanner的整体精确率达到97.49%。结果表明当前TON合约中存在大量缺陷，说明开发者容易引入错误。TONScanner已证明其能准确识别这些缺陷，从而助力缺陷修复。