International Association
for Cryptologic Research

We present an attack on the Abstract Datagram Network Layer (ADNL) protocol used in The Open Network (TON), currently the 10th largest blockchain by market cap- italization. In its TCP variant, ADNL secures communication between clients and specialized nodes called liteservers, which provide access to blockchain data. We identify two crypto- graphic design flaws in this protocol: a handshake that permits session-key replay and a non-standard integrity mechanism whose security critically depends on message confidentiality. We transform these vulnerabilities into an efficient plaintext- recovery attack by exploiting two ADNL communication pat- terns, allowing message reordering across replayed sessions. We then develop a plaintext model for this scenario and con- struct an efficient algorithm that recovers the keystream using a fraction of known plaintexts and a handful of replays. We implement our attack and show that an attacker intercepting the communication between a TON liteserver and a widely de- ployed ADNL client can recover the keystream used to encrypt server responses by performing eight connection replays to the server. This allows the decryption of sensitive data, such as account balances and user activity patterns. Additionally, the attacker can modify server responses to manipulate blockchain information displayed to the client, including account balances and asset prices.