Cryptocurrency exchanges face a constant battle to stay ahead of evolving security threats, and the TON bounce scam is one of the latest challenges targeting blockchain transaction mechanics. This sophisticated scam exploits vulnerabilities in how exchanges process deposits on the TON network, using a clever “double-spend” or “bounce” tactic to manipulate account balances.

In this blog, we’ll dive into the inner workings of the TON bounce scam, exploring how it operates, why it’s effective, and—most importantly—what measures exchanges can implement to safeguard against this emerging threat. Read on to uncover the details and learn how to protect your platform and users.

Mechanics of the Scam

1. Initiating the Transaction

The scammer sends a deposit of 1 TON (or similar token) from their address (the red box) to the exchange's deposit address (the green box).

1. Creating the Bounce Effect

The TON blockchain supports a "bounce" feature where a transaction that cannot be fully processed (e.g., due to lack of funds or smart contract restrictions) will return the tokens to the sender.

This results in two parts to the transaction:

• Outgoing Transaction (Scammer → Exchange): The exchange detects this part as a deposit.
• Bounce Back (Exchange → Scammer): The TON blockchain mechanism sends the tokens back to the scammer's wallet.

These kinds of transactions can be identified via the ‘bounce:true’ parameter in the transaction details.

1. Exploiting Exchange Logic

If the exchange's wallet system fails to recognize the second part of the transaction (the bounce), it will assume the deposit was successful and credit the scammer's account.

The scammer then immediately withdraws the credited funds from the exchange before the error is detected.

1. End Result

The scammer's wallet balance remains the same (because the funds bounced back), but they gain additional funds credited by the exchange, effectively stealing assets.

This is what an account that has engaged in such a scam before looks like:

https://tonviewer.com/EQCWXzcOaG__xbHttae18kLzAHxIRVe-XF1bLbfAZ1n1gY_d

Mitigation Strategies for Exchanges

1. Pre-Post Balance Verification

Ensure the exchange monitors both outgoing and incoming transaction statuses on the blockchain, including potential reversals or bounces.

1. Smart Contract Validation

Employ stricter validation rules to confirm that a deposit remains on the blockchain and has not been reversed.

1. Delayed Credits

Implement a short delay before crediting user accounts to confirm transaction finality, especially on blockchains with unique behaviors like TON.

1. Auditing Deposit Logic

Regularly review deposit-handling code to identify potential exploits, particularly for newer blockchains or unique transaction mechanisms.

Final Thoughts

By implementing the steps above, exchanges can significantly mitigate the risk of TON bounce scams. This method is efficient, secure, and adaptable to other potential network-specific quirks. Remember, there are a lot of people with bad intentions out there, so stay safe and take care!