⚫️ Recently, Ethereum developer Zach Cole shared how cryptocurrency was stolen from one of his wallets. He’s been in the crypto space for 10 years and is highly security-minded, yet still missed a threat. This case, featured in our #antiscam section, is most relevant to developers — though the final point applies to everyone.

⚫️ One of Zach’s wallets was suddenly drained. Investigating, he found the cause: while developing smart contracts, he had used this wallet and stored a .env configuration file containing its access credentials alongside his project code. He never shared this file with anyone.

⚫️ Three days before the theft, he installed a Visual Studio Code extension called contractshark.solidity-lang. It didn’t raise any red flags — it already had over 50,000 installs — but it turned out to be malicious. Because a code editor (and its extensions) can access all project files, the extension took the .env file’s contents and sent them to its creators.

⚫️ Zach keeps his main funds in a hardware wallet, so only his development wallet was affected — but it still held hundreds of dollars. His takeaway: never store wallet private keys directly in a project, under any circumstances.

⚫️ Another lesson: instead of judging an extension by download count, check its publication date. Download numbers can be faked; publication dates cannot. In this case, the extension had been released just a few days earlier.

⚫️ The rule “never store any wallet credentials in a project” might sound extreme — for example, if you have a wallet for testing purposes containing only a couple of Toncoins, is it worth worrying about? But in any case, remember:

💡 If a wallet’s private key is stored in your project, it’s a potential leak source. Even temporarily (“we’ll test and delete it later”), even without malicious extensions — leaks happen. For example, a beginner might accidentally push the project to a public repository, forgetting it contains their seed phrase.

💡 Extensions for popular apps can be malicious. Google Chrome and Visual Studio Code themselves are reputable and unlikely to rob you, but extensions are made by anyone — and malicious ones can slip through. Treat them with caution.

@thedailyton

⌨️ The Weekly TON: Highlights of the week

🔥 Verb Technology became the first company to hold a strategic reserve of Toncoin, raising $588M through a private share. Pavel Durov commented on the event, noting that VERB achieved unicorn status just on its first day of trading.

⚫️ We unpacked the story behind the +999 numbers and also covered the new project DegenPhone, which on Thursday successfully closed its first launchpool, raising 106,000 TON in just 30 minutes after the sale began.

There were, however, some communication issues: the guaranteed NFT price of 50 TON applied not to all participants but only to the first 10,000 TON in the pool — something many users learned only after sales had closed.

⚫️ The TON Core team showcased their UX improvements using transfers in MyTonWallet as an example. We explain how optimistic interfaces work and why making a blockchain transaction is more complicated than liking a post on X.

⚫️ The "antiscam" section is back after a break! In the new post, we analyze a technique known as address poisoning. Read about how you could accidentally send funds to a scammer's address and what you should do to avoid such mistakes.

⚫️ Why should a user bring their money into your app? In the "opinion" section, we highlight a common problem among crypto project creators, who don’t always understand that their idea should not only generate revenue but also provide value.

🍌 The token from First Digital Group, which we featured last week in our stablecoin oweviev, has been completely withdrawn from TONCO exchange. In a separate post, we reflect on why FDUSD lasted only 10 days on TON Blockchain.

@thedailyton

⚫️ The liquidity of the FDUSD stablecoin from First Digital Group was completely withdrawn from the decentralized exchange TONCO, and the tokens themselves were burned, leaving 30 FDUSD holders unable to swap their funds (around $7,500) back.

As a result, less than 10 days passed from the token’s launch on TON on July 28 to the withdrawal of liquidity from the exchange on the morning of August 6.

⚫️ Apparently, First Digital Group wasn’t prepared for the fact that a token without clear value and additional incentive campaigns might attract little interest — especially against the backdrop of the popular USDt and yield-bearing USDe and tgUSD.

⚫️ Of course, there’s a slim chance FDUSD might still return to the ecosystem or that the team will at least launch an official bridge for withdrawals, but no statements have been made in the past three days.

⚫️ Last week, we compiled an overview of stablecoins precisely with FDUSD’s debut on TON. It now seems the token will join the ranks of jUSDT and AquaUSD, adding to the list of stablecoins whose time has already come to an end.

@thedailyton

🚀 The NFT phone number launchpool starts in just a few hours

⚫️ Quick reminder: DegenPhone provides virtual numbers that can be used (for receiving SMS and registering on various services) through a web app without KYC, as well as bought, sold, and traded as NFT on TON Blockchain.

⚫️ What’s changed in the past few days? In addition to the launchpool, the team is also holding a giveaway of 20 numbers. Half will go to users with the most referrals, while the other half will be randomly distributed among all participants.

⚫️ A new "Multiplier" has also appeared on the website — it starts at 100% but decreases as the pool fills. The details are shown in a table: the earlier a user deposits TON, the higher their final allocation will be.

What do you think — can an independent team recreate the success of the anonymous numbers?

@thedailyton

🍌 How scammers "poison addresses"

⚫️ The fraudulent technique of address poisoning, which originally appeared in other blockchains, has now reached TON. Therefore, in our #antiscam section, we will analyze what it is and how to protect yourself.

⚫️ The scheme is based on carelessness. When you often send funds to someone, you might copy the address from your transaction history, glancing only at the first and last characters. This is what scammers exploit.

⚫️ Here's how it works. They find an address to which money is often sent. Then they create their own wallet so that its address looks similar to the "real" one at the beginning and end. And then they send symbolic amounts from it to users who have sent funds to the real address.

⚫️ After that, the user's transaction history contains both the real address and the fake one. And the next time they want to send funds to a familiar address, they might mistakenly copy the fake one from the history — and the money will go to the scammers.

⚫️ In TON, it is more difficult to generate addresses than in some other networks. So, if you are sending $10 to a friend, it is unlikely that scammers will bother to fake their address. The main targets are the addresses of popular services like exchanges, where many users can send significant amounts.

💡 How to protect yourself? In general, the advice is obvious. If you want to copy an address from your transaction history, check it more carefully. And it's even better to refer to the official source instead of the transaction history or use the "repeat" button where it is available.

@thedailyton

⚫️ Two notable events happened recently. MyTonWallet released version 4.0 with “instant transfers,” and the TON Core team published an update on their UX work, citing these transfers as an example of a “new approach.” Let’s take a closer look: what exactly is this approach?

⚫️ In digital interfaces, users have always found it frustrating when they have to wait for an action to complete. Ideally, everything should feel instant. That’s why developers have always looked for ways to minimize — or eliminate — delays.

⚫️ But there are limits to how fast things can go. Imagine a user liking someone’s post in a browser. A request is sent to the server, the server updates the like counter, sends back the new number, the browser receives it and updates the UI. All of this takes time and cannot happen instantly.

⚫️ To address this, developers came up with “optimistic UI” — UIs that immediately show the operation as completed, even though it’s still in progress. For example, when a user likes a tweet on X, the like counter updates instantly, without waiting for the server response. This creates a sense of immediacy — but it comes with a risk: what if the server fails to process the request? The interface would have “lied,” showing the like was successful when, in fact, the tweet’s author will never see it.

⚫️ Similar challenges exist in TON. Users want instant transfers, but blocks are only produced every few seconds, creating a small but noticeable delay. How can this be bypassed? By displaying the transaction before it is fully finalized. This idea isn’t new to the ecosystem — some explorers already do this. But MyTonWallet has pushed it the furthest among TON wallets: incoming transfers are now displayed almost immediately, much like messages in a messenger.

⚫️ Some may ask:

What if something goes wrong, and the interface already showed the transaction? Losing a like on X is not critical. But if someone believes a money transfer has gone through when it hasn’t, the consequences are much more serious — so what’s the safeguard?

The key is that MyTonWallet doesn’t behave exactly like X. The transaction is shown immediately, but initially with a clock icon, indicating it’s still processing. Only after the block containing the transaction is finalized does the icon disappear — at which point the transfer is considered fully confirmed.

💡 So in everyday use, you can rely on the fast-updating transaction list. But if you’re sending a large amount and need 100% certainty that the transfer has been completed, you can always wait for full confirmation.

@thedailyton