In the user stories above, we saw that a full flow is distributed over multiple messages. The message internal transfer
, for example, causes its recipient to increase their SHIB balance (as you recall, it was sent at the end of the transfer flow). What would happen if an attacker tries to forge this message and send it to a contract holding their own SHIB balance? If we're not careful, such forgery would result in the attacker's ability to generate new tokens for themselves from thin air!
To secure the contract against this forgery, we would need to authenticate that these critical messages that change balances indeed originate from a valid sender. You can see the validation code here
- the contract will only handle a message if it was sent by the minter parent (labeled jetton_master_address
for some reason) or by one of the valid children.
This leads to a very interesting question - how can we tell if some random address is a valid child jetton address? Wait a minute, earlier when Alison wanted to send a message to Becky, how did she know Becky's contract address in the first place?
This, again, is a beautiful system design - the addresses for smart contracts on TON are derived from the initial code cell of the contract (the compiled TVM bytecode of its implementation) and the initial data cell of the contract (its initial persistent state upon construction). If we know these two values, we can calculate the address of a contract even before it is deployed. This calculation is deterministic and immutable.
The Jetton code contains a utility function that calculates a child's address - meaning the address of the contract holding Alison's SHIB balance - based on Alison's address. You can see this function here
. As you can see, it indeed depends on the initial [code cell]
of the child and its initial [data cell]
It's a little tricky to understand why this mechanism is secure. What prevents an attacker from somehow deploying their malicious contract in the address of one of the legal children? To land on a legal address, the malicious contract would have to have the initial code cell of the official children - this has already limited the attacker's ability to add malicious code to this implementation. In addition, the initial data cell guarantees that the child will only obey the correct minter parent since the initial data cell contains its address.