@blazium/ton-connect-mobile 1.2.0 → 1.2.1

package/dist/adapters/expo.js

@@ -67,15 +67,15 @@ class ExpoAdapter {
             else {
                 console.log('[ExpoAdapter] Skipping canOpenURL check (Android compatibility)');
             }
-            // CRITICAL FIX: Android'de canOpenURL() tonconnect:// protokolünü tanımayabilir
-            // Bu yüzden direkt openURL() çağırıyoruz. Eğer açılamazsa hata fırlatır.
+            // CRITICAL FIX: On Android, canOpenURL() may not recognize tonconnect:// protocol
+            // So we call openURL() directly. If it fails, it will throw an error.
             await Linking.openURL(url);
             console.log('[ExpoAdapter] URL opened successfully');
             return true;
         }
         catch (error) {
             console.error('[ExpoAdapter] Error in openURL:', error);
-            // Android'de tonconnect:// protokolü tanınmıyorsa veya cüzdan yüklü değilse hata verir
+            // On Android, if tonconnect:// protocol is not recognized or wallet is not installed, it will throw an error
             const errorMessage = error?.message || String(error);
             if (errorMessage.includes('No Activity found') || errorMessage.includes('No app found') || errorMessage.includes('Cannot open URL')) {
                 throw new Error('No TON wallet app found. Please install Tonkeeper or another TON Connect compatible wallet from Google Play Store.');

package/dist/adapters/react-native.js

@@ -55,15 +55,15 @@ class ReactNativeAdapter {
             else {
                 console.log('[ReactNativeAdapter] Skipping canOpenURL check (Android compatibility)');
             }
-            // CRITICAL FIX: Android'de canOpenURL() tonconnect:// protokolünü tanımayabilir
-            // Bu yüzden direkt openURL() çağırıyoruz. Eğer açılamazsa hata fırlatır.
+            // CRITICAL FIX: On Android, canOpenURL() may not recognize tonconnect:// protocol
+            // So we call openURL() directly. If it fails, it will throw an error.
             await Linking.openURL(url);
             console.log('[ReactNativeAdapter] URL opened successfully');
             return true;
         }
         catch (error) {
             console.error('[ReactNativeAdapter] Error in openURL:', error);
-            // Android'de tonconnect:// protokolü tanınmıyorsa veya cüzdan yüklü değilse hata verir
+            // On Android, if tonconnect:// protocol is not recognized or wallet is not installed, it will throw an error
             const errorMessage = error?.message || String(error);
             if (errorMessage.includes('No Activity found') || errorMessage.includes('No app found') || errorMessage.includes('Cannot open URL')) {
                 throw new Error('No TON wallet app found. Please install Tonkeeper or another TON Connect compatible wallet from Google Play Store.');

package/dist/core/protocol.d.ts

@@ -35,6 +35,7 @@ export declare function parseCallbackURL(url: string, scheme: string): {
 };
 /**
  * Extract wallet info from connection response
+ * CRITICAL: This function assumes response has been validated by validateConnectionResponse
  */
 export declare function extractWalletInfo(response: ConnectionResponsePayload): WalletInfo;
 /**

package/dist/core/protocol.js

@@ -195,12 +195,21 @@ function parseCallbackURL(url, scheme) {
             return { type: 'unknown', data: null };
         }
         // Extract encoded payload
-        const encoded = url.substring(expectedPrefix.length);
+        let encoded = url.substring(expectedPrefix.length);
+        // CRITICAL FIX: Decode URL encoding first (wallet may URL-encode the payload)
+        try {
+            encoded = decodeURIComponent(encoded);
+        }
+        catch (error) {
+            // If decodeURIComponent fails, try using the original encoded string
+            // Some wallets may not URL-encode the payload
+            console.log('[TON Connect] Payload not URL-encoded, using as-is');
+        }
         // CRITICAL FIX: Validate base64 payload size (prevent DoS)
         if (encoded.length === 0 || encoded.length > 5000) {
             return { type: 'unknown', data: null };
         }
-        // CRITICAL FIX: Validate base64 characters only
+        // CRITICAL FIX: Validate base64 characters only (after URL decoding)
         if (!/^[A-Za-z0-9_-]+$/.test(encoded)) {
             return { type: 'unknown', data: null };
         }
@@ -241,12 +250,17 @@ function parseCallbackURL(url, scheme) {
 }
 /**
  * Extract wallet info from connection response
+ * CRITICAL: This function assumes response has been validated by validateConnectionResponse
  */
 function extractWalletInfo(response) {
+    // CRITICAL FIX: Add null checks to prevent runtime errors
+    if (!response || !response.name || !response.address || !response.publicKey) {
+        throw new Error('Invalid connection response: missing required fields');
+    }
     return {
         name: response.name,
-        appName: response.appName,
-        version: response.version,
+        appName: response.appName || response.name,
+        version: response.version || 'unknown',
         platform: response.platform || 'unknown',
         address: response.address,
         publicKey: response.publicKey,
@@ -280,13 +294,59 @@ function validateTransactionRequest(request) {
     if (!request.messages || request.messages.length === 0) {
         return { valid: false, error: 'Transaction must have at least one message' };
     }
-    for (const msg of request.messages) {
-        if (!msg.address) {
-            return { valid: false, error: 'Message address is required' };
+    // CRITICAL: Validate each message
+    for (let i = 0; i < request.messages.length; i++) {
+        const msg = request.messages[i];
+        // Validate address
+        if (!msg.address || typeof msg.address !== 'string') {
+            return { valid: false, error: `Message ${i + 1}: Address is required and must be a string` };
+        }
+        // CRITICAL: Validate TON address format (EQ... or 0Q...)
+        if (!/^(EQ|0Q)[A-Za-z0-9_-]{46}$/.test(msg.address)) {
+            return { valid: false, error: `Message ${i + 1}: Invalid TON address format. Address must start with EQ or 0Q and be 48 characters long.` };
+        }
+        // Validate amount
+        if (!msg.amount || typeof msg.amount !== 'string') {
+            return { valid: false, error: `Message ${i + 1}: Amount is required and must be a string (nanotons)` };
+        }
+        // CRITICAL: Validate amount is a valid positive number (nanotons)
+        try {
+            const amount = BigInt(msg.amount);
+            if (amount <= 0n) {
+                return { valid: false, error: `Message ${i + 1}: Amount must be greater than 0` };
+            }
+            // Check for reasonable maximum (prevent overflow)
+            if (amount > BigInt('1000000000000000000')) { // 1 billion TON
+                return { valid: false, error: `Message ${i + 1}: Amount exceeds maximum allowed (1 billion TON)` };
+            }
         }
-        if (!msg.amount || isNaN(Number(msg.amount))) {
-            return { valid: false, error: 'Message amount must be a valid number' };
+        catch (error) {
+            return { valid: false, error: `Message ${i + 1}: Amount must be a valid number string (nanotons)` };
         }
+        // Validate payload if provided (must be base64)
+        if (msg.payload !== undefined && msg.payload !== null) {
+            if (typeof msg.payload !== 'string') {
+                return { valid: false, error: `Message ${i + 1}: Payload must be a base64 string` };
+            }
+            // Basic base64 validation
+            if (msg.payload.length > 0 && !/^[A-Za-z0-9+/=]+$/.test(msg.payload)) {
+                return { valid: false, error: `Message ${i + 1}: Payload must be valid base64 encoded` };
+            }
+        }
+        // Validate stateInit if provided (must be base64)
+        if (msg.stateInit !== undefined && msg.stateInit !== null) {
+            if (typeof msg.stateInit !== 'string') {
+                return { valid: false, error: `Message ${i + 1}: StateInit must be a base64 string` };
+            }
+            // Basic base64 validation
+            if (msg.stateInit.length > 0 && !/^[A-Za-z0-9+/=]+$/.test(msg.stateInit)) {
+                return { valid: false, error: `Message ${i + 1}: StateInit must be valid base64 encoded` };
+            }
+        }
+    }
+    // CRITICAL: Limit maximum number of messages (prevent DoS)
+    if (request.messages.length > 255) {
+        return { valid: false, error: 'Transaction cannot have more than 255 messages' };
     }
     return { valid: true };
 }

package/dist/core/wallets.js

@@ -17,7 +17,7 @@ exports.SUPPORTED_WALLETS = [
         appName: 'Tonkeeper',
         universalLink: 'https://app.tonkeeper.com/ton-connect',
         deepLink: 'tonkeeper://',
-        platforms: ['ios', 'android'],
+        platforms: ['ios', 'android', 'web'], // CRITICAL FIX: Tonkeeper Web is supported
         preferredReturnStrategy: 'post_redirect', // CRITICAL FIX: 'back' strategy may not send callback properly, use 'post_redirect'
         requiresReturnScheme: true, // CRITICAL FIX: Mobile apps need returnScheme for proper callback handling
     },

package/dist/index.d.ts

@@ -103,6 +103,8 @@ export declare class TonConnectMobile {
     /**
      * Check if a wallet is available on the current platform
      * Note: This is a best-effort check and may not be 100% accurate
+     * CRITICAL FIX: On web, if wallet has universalLink, it's considered available
+     * because universal links can open in new tabs/windows
      */
     isWalletAvailable(walletName?: string): Promise<boolean>;
     /**

package/dist/index.js

@@ -60,14 +60,14 @@ class UserRejectedError extends TonConnectError {
 exports.UserRejectedError = UserRejectedError;
 class ConnectionInProgressError extends TonConnectError {
     constructor() {
-        super('Connection request already in progress', 'CONNECTION_IN_PROGRESS');
+        super('Connection request already in progress', 'CONNECTION_IN_PROGRESS', 'Please wait for the current connection attempt to complete before trying again.');
         this.name = 'ConnectionInProgressError';
     }
 }
 exports.ConnectionInProgressError = ConnectionInProgressError;
 class TransactionInProgressError extends TonConnectError {
     constructor() {
-        super('Transaction request already in progress', 'TRANSACTION_IN_PROGRESS');
+        super('Transaction request already in progress', 'TRANSACTION_IN_PROGRESS', 'Please wait for the current transaction to complete before sending another one.');
         this.name = 'TransactionInProgressError';
     }
 }
@@ -198,8 +198,9 @@ class TonConnectMobile {
         const parsed = (0, protocol_1.parseCallbackURL)(url, this.config.scheme);
         console.log('[TON Connect] Parsed callback:', parsed.type, parsed.data ? 'has data' : 'no data');
         // CRITICAL FIX: Check for sign data response first (before other handlers)
-        if (this.signDataPromise && !this.signDataPromise.timeout) {
-            // Sign data request is pending
+        // Note: We check if promise exists and hasn't timed out (timeout !== null means not timed out yet)
+        if (this.signDataPromise && this.signDataPromise.timeout !== null) {
+            // Sign data request is pending and hasn't timed out
             if (parsed.type === 'error' && parsed.data) {
                 const errorData = parsed.data;
                 if (errorData?.error) {
@@ -284,12 +285,18 @@ class TonConnectMobile {
         this.currentStatus = { connected: true, wallet };
         this.notifyStatusChange();
         // Resolve connection promise
+        // CRITICAL: Only resolve if promise still exists and hasn't timed out
         if (this.connectionPromise) {
+            // Clear timeout if it exists
             if (this.connectionPromise.timeout !== null) {
                 clearTimeout(this.connectionPromise.timeout);
             }
-            this.connectionPromise.resolve(wallet);
+            // Store reference before clearing to prevent race conditions
+            const promise = this.connectionPromise;
+            // Clear promise first
             this.connectionPromise = null;
+            // Then resolve
+            promise.resolve(wallet);
         }
     }
     /**
@@ -301,15 +308,21 @@ class TonConnectMobile {
             return;
         }
         // Resolve transaction promise
+        // CRITICAL: Only resolve if promise still exists and hasn't timed out
         if (this.transactionPromise) {
+            // Clear timeout if it exists
             if (this.transactionPromise.timeout !== null) {
                 clearTimeout(this.transactionPromise.timeout);
             }
-            this.transactionPromise.resolve({
+            // Store reference before clearing
+            const promise = this.transactionPromise;
+            // Clear promise first to prevent race conditions
+            this.transactionPromise = null;
+            // Then resolve
+            promise.resolve({
                 boc: response.boc,
                 signature: response.signature,
             });
-            this.transactionPromise = null;
         }
     }
     /**
@@ -330,6 +343,14 @@ class TonConnectMobile {
             this.transactionPromise.reject(error);
             this.transactionPromise = null;
         }
+        // CRITICAL FIX: Also clear signDataPromise to prevent memory leaks
+        if (this.signDataPromise) {
+            if (this.signDataPromise.timeout !== null) {
+                clearTimeout(this.signDataPromise.timeout);
+            }
+            this.signDataPromise.reject(error);
+            this.signDataPromise = null;
+        }
     }
     /**
      * Connect to wallet
@@ -649,16 +670,21 @@ class TonConnectMobile {
     /**
      * Check if a wallet is available on the current platform
      * Note: This is a best-effort check and may not be 100% accurate
+     * CRITICAL FIX: On web, if wallet has universalLink, it's considered available
+     * because universal links can open in new tabs/windows
      */
     async isWalletAvailable(walletName) {
         const wallet = walletName ? (0, wallets_1.getWalletByName)(walletName) : this.currentWallet;
         if (!wallet) {
             return false;
         }
-        // On web, check if wallet supports web platform
-        // eslint-disable-next-line no-undef
-        if (typeof globalThis !== 'undefined' && globalThis.window) {
-            return wallet.platforms.includes('web');
+        // CRITICAL FIX: Check adapter type to reliably detect web platform
+        // WebAdapter is only used on web, so this is the most reliable check
+        const isWeb = this.adapter.constructor.name === 'WebAdapter';
+        if (isWeb) {
+            // On web, if wallet has universalLink or supports web platform, it's available
+            // Universal links can open in a new tab on web
+            return wallet.platforms.includes('web') || !!wallet.universalLink;
         }
         // On mobile, we can't reliably check if wallet is installed
         // Return true if wallet supports the current platform

package/dist/react/TonConnectUIProvider.js

@@ -51,7 +51,19 @@ const TonConnectUIContext = (0, react_1.createContext)(null);
  * Compatible with @tonconnect/ui-react API
  */
 function TonConnectUIProvider({ config, children, sdkInstance, }) {
-    const [sdk] = (0, react_1.useState)(() => sdkInstance || new index_1.TonConnectMobile(config));
+    // CRITICAL: Initialize SDK only once
+    const [sdk] = (0, react_1.useState)(() => {
+        if (sdkInstance) {
+            return sdkInstance;
+        }
+        try {
+            return new index_1.TonConnectMobile(config);
+        }
+        catch (error) {
+            console.error('[TonConnectUIProvider] Failed to initialize SDK:', error);
+            throw error;
+        }
+    });
     const [walletState, setWalletState] = (0, react_1.useState)(null);
     const [modalOpen, setModalOpen] = (0, react_1.useState)(false);
     const [isConnecting, setIsConnecting] = (0, react_1.useState)(false);
@@ -135,19 +147,42 @@ function TonConnectUIProvider({ config, children, sdkInstance, }) {
     }, [sdk]);
     // Send transaction
     const sendTransaction = (0, react_1.useCallback)(async (transaction) => {
-        const response = await sdk.sendTransaction(transaction);
-        return {
-            boc: response.boc,
-            signature: response.signature,
-        };
+        try {
+            // Validate transaction before sending
+            if (!transaction || !transaction.messages || transaction.messages.length === 0) {
+                throw new Error('Invalid transaction: messages array is required and cannot be empty');
+            }
+            if (!transaction.validUntil || transaction.validUntil <= Date.now()) {
+                throw new Error('Invalid transaction: validUntil must be in the future');
+            }
+            const response = await sdk.sendTransaction(transaction);
+            return {
+                boc: response.boc,
+                signature: response.signature,
+            };
+        }
+        catch (error) {
+            console.error('[TonConnectUIProvider] Transaction error:', error);
+            throw error;
+        }
     }, [sdk]);
     // Sign data
     const signData = (0, react_1.useCallback)(async (request) => {
-        const response = await sdk.signData(request.data, request.version);
-        return {
-            signature: response.signature,
-            timestamp: response.timestamp,
-        };
+        try {
+            // Validate request
+            if (!request || (!request.data && request.data !== '')) {
+                throw new Error('Invalid sign data request: data is required');
+            }
+            const response = await sdk.signData(request.data, request.version);
+            return {
+                signature: response.signature,
+                timestamp: response.timestamp,
+            };
+        }
+        catch (error) {
+            console.error('[TonConnectUIProvider] Sign data error:', error);
+            throw error;
+        }
     }, [sdk]);
     // Create TonConnectUI instance
     const tonConnectUI = {

package/dist/react/WalletSelectionModal.js

@@ -27,18 +27,36 @@ function WalletSelectionModal({ visible, onClose, wallets: customWallets, style,
         }
         else {
             const supportedWallets = sdk.getSupportedWallets();
-            // Filter wallets for current platform
+            // CRITICAL FIX: On web, show all wallets with universalLink (they can open in new tab)
+            // On mobile, filter by platform
             const platform = react_native_1.Platform.OS === 'ios' ? 'ios' : react_native_1.Platform.OS === 'android' ? 'android' : 'web';
-            const platformWallets = supportedWallets.filter((w) => w.platforms.includes(platform));
+            let platformWallets;
+            if (platform === 'web') {
+                // On web, show all wallets with universalLink (they can open in new tab)
+                platformWallets = supportedWallets.filter((w) => w.platforms.includes('web') || !!w.universalLink);
+            }
+            else {
+                platformWallets = supportedWallets.filter((w) => w.platforms.includes(platform));
+            }
             setWallets(platformWallets);
         }
     }, [sdk, customWallets]);
     // Handle wallet selection
     const handleSelectWallet = async (wallet) => {
+        // Prevent multiple simultaneous connection attempts
+        if (connectingWallet) {
+            return;
+        }
         try {
             setConnectingWallet(wallet.name);
             // Set preferred wallet
-            sdk.setPreferredWallet(wallet.name);
+            try {
+                sdk.setPreferredWallet(wallet.name);
+            }
+            catch (error) {
+                console.error('[WalletSelectionModal] Failed to set preferred wallet:', error);
+                // Continue anyway - SDK will use default wallet
+            }
             // Close modal
             onClose();
             // Small delay to ensure modal closes
@@ -47,13 +65,9 @@ function WalletSelectionModal({ visible, onClose, wallets: customWallets, style,
             await tonConnectUI.connectWallet();
         }
         catch (error) {
-            console.error('Wallet connection error:', error);
+            console.error('[WalletSelectionModal] Wallet connection error:', error);
             setConnectingWallet(null);
-            // Re-open modal on error
-            onClose();
-            setTimeout(() => {
-                // Modal will be re-opened by parent if needed
-            }, 500);
+            // Error is handled by SDK/UI, just reset connecting state
         }
     };
     return (react_1.default.createElement(react_native_1.Modal, { visible: visible, animationType: "slide", transparent: true, onRequestClose: onClose },
@@ -69,8 +83,9 @@ function WalletSelectionModal({ visible, onClose, wallets: customWallets, style,
                     react_1.default.createElement(react_native_1.Text, { style: styles.emptyStateSubtext }, "Please install a TON wallet app to continue"))) : (wallets.map((wallet) => {
                     const isConnecting = connectingWallet === wallet.name;
                     return (react_1.default.createElement(react_native_1.TouchableOpacity, { key: wallet.name, style: [styles.walletItem, isConnecting && styles.walletItemConnecting], onPress: () => handleSelectWallet(wallet), disabled: isConnecting },
-                        react_1.default.createElement(react_native_1.View, { style: styles.walletIconContainer }, wallet.iconUrl ? (react_1.default.createElement(react_native_1.Image, { source: { uri: wallet.iconUrl }, style: styles.walletIcon })) : (react_1.default.createElement(react_native_1.View, { style: styles.walletIconPlaceholder },
-                            react_1.default.createElement(react_native_1.Text, { style: styles.walletIconText }, wallet.name.charAt(0).toUpperCase())))),
+                        react_1.default.createElement(react_native_1.View, { style: styles.walletIconContainer },
+                            react_1.default.createElement(react_native_1.View, { style: styles.walletIconPlaceholder },
+                                react_1.default.createElement(react_native_1.Text, { style: styles.walletIconText }, wallet.name.charAt(0).toUpperCase()))),
                         react_1.default.createElement(react_native_1.View, { style: styles.walletInfo },
                             react_1.default.createElement(react_native_1.Text, { style: styles.walletName }, wallet.name),
                             react_1.default.createElement(react_native_1.Text, { style: styles.walletAppName }, wallet.appName)),

package/dist/utils/transactionBuilder.js

@@ -42,12 +42,29 @@ function nanoToTon(nanotons) {
  * @returns Transaction request
  */
 function buildTransferTransaction(to, amount, validUntil) {
+    // Validate address
+    if (!to || typeof to !== 'string') {
+        throw new Error('Recipient address is required');
+    }
+    if (!isValidTonAddress(to)) {
+        throw new Error(`Invalid TON address format: ${to}`);
+    }
+    // Validate amount
+    const nanoAmount = tonToNano(amount);
+    if (BigInt(nanoAmount) <= 0n) {
+        throw new Error('Transaction amount must be greater than 0');
+    }
+    // Validate validUntil
+    const expiration = validUntil || Date.now() + 5 * 60 * 1000; // 5 minutes default
+    if (expiration <= Date.now()) {
+        throw new Error('Transaction expiration must be in the future');
+    }
     return {
-        validUntil: validUntil || Date.now() + 5 * 60 * 1000, // 5 minutes default
+        validUntil: expiration,
         messages: [
             {
                 address: to,
-                amount: tonToNano(amount),
+                amount: nanoAmount,
             },
         ],
     };
@@ -59,12 +76,38 @@ function buildTransferTransaction(to, amount, validUntil) {
  * @returns Transaction request
  */
 function buildMultiTransferTransaction(transfers, validUntil) {
-    return {
-        validUntil: validUntil || Date.now() + 5 * 60 * 1000,
-        messages: transfers.map((transfer) => ({
+    // Validate transfers array
+    if (!transfers || !Array.isArray(transfers) || transfers.length === 0) {
+        throw new Error('Transfers array is required and cannot be empty');
+    }
+    if (transfers.length > 255) {
+        throw new Error('Maximum 255 transfers allowed per transaction');
+    }
+    // Validate each transfer
+    const messages = transfers.map((transfer, index) => {
+        if (!transfer.to || typeof transfer.to !== 'string') {
+            throw new Error(`Transfer ${index + 1}: Recipient address is required`);
+        }
+        if (!isValidTonAddress(transfer.to)) {
+            throw new Error(`Transfer ${index + 1}: Invalid TON address format: ${transfer.to}`);
+        }
+        const nanoAmount = tonToNano(transfer.amount);
+        if (BigInt(nanoAmount) <= 0n) {
+            throw new Error(`Transfer ${index + 1}: Amount must be greater than 0`);
+        }
+        return {
             address: transfer.to,
-            amount: tonToNano(transfer.amount),
-        })),
+            amount: nanoAmount,
+        };
+    });
+    // Validate validUntil
+    const expiration = validUntil || Date.now() + 5 * 60 * 1000;
+    if (expiration <= Date.now()) {
+        throw new Error('Transaction expiration must be in the future');
+    }
+    return {
+        validUntil: expiration,
+        messages,
     };
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blazium/ton-connect-mobile",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Production-ready TON Connect Mobile SDK for React Native and Expo. Implements the real TonConnect protocol for mobile applications using deep links and callbacks.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/adapters/expo.ts

@@ -78,14 +78,14 @@ export class ExpoAdapter implements PlatformAdapter {
         console.log('[ExpoAdapter] Skipping canOpenURL check (Android compatibility)');
       }
       
-      // CRITICAL FIX: Android'de canOpenURL() tonconnect:// protokolünü tanımayabilir
-      // Bu yüzden direkt openURL() çağırıyoruz. Eğer açılamazsa hata fırlatır.
+      // CRITICAL FIX: On Android, canOpenURL() may not recognize tonconnect:// protocol
+      // So we call openURL() directly. If it fails, it will throw an error.
       await Linking.openURL(url);
       console.log('[ExpoAdapter] URL opened successfully');
       return true;
     } catch (error: any) {
       console.error('[ExpoAdapter] Error in openURL:', error);
-      // Android'de tonconnect:// protokolü tanınmıyorsa veya cüzdan yüklü değilse hata verir
+      // On Android, if tonconnect:// protocol is not recognized or wallet is not installed, it will throw an error
       const errorMessage = error?.message || String(error);
       if (errorMessage.includes('No Activity found') || errorMessage.includes('No app found') || errorMessage.includes('Cannot open URL')) {
         throw new Error(

package/src/adapters/react-native.ts

@@ -67,14 +67,14 @@ export class ReactNativeAdapter implements PlatformAdapter {
         console.log('[ReactNativeAdapter] Skipping canOpenURL check (Android compatibility)');
       }
       
-      // CRITICAL FIX: Android'de canOpenURL() tonconnect:// protokolünü tanımayabilir
-      // Bu yüzden direkt openURL() çağırıyoruz. Eğer açılamazsa hata fırlatır.
+      // CRITICAL FIX: On Android, canOpenURL() may not recognize tonconnect:// protocol
+      // So we call openURL() directly. If it fails, it will throw an error.
       await Linking.openURL(url);
       console.log('[ReactNativeAdapter] URL opened successfully');
       return true;
     } catch (error: any) {
       console.error('[ReactNativeAdapter] Error in openURL:', error);
-      // Android'de tonconnect:// protokolü tanınmıyorsa veya cüzdan yüklü değilse hata verir
+      // On Android, if tonconnect:// protocol is not recognized or wallet is not installed, it will throw an error
       const errorMessage = error?.message || String(error);
       if (errorMessage.includes('No Activity found') || errorMessage.includes('No app found') || errorMessage.includes('Cannot open URL')) {
         throw new Error(

package/src/core/protocol.ts

@@ -248,14 +248,23 @@ export function parseCallbackURL(url: string, scheme: string): {
     }
 
     // Extract encoded payload
-    const encoded = url.substring(expectedPrefix.length);
+    let encoded = url.substring(expectedPrefix.length);
+
+    // CRITICAL FIX: Decode URL encoding first (wallet may URL-encode the payload)
+    try {
+      encoded = decodeURIComponent(encoded);
+    } catch (error) {
+      // If decodeURIComponent fails, try using the original encoded string
+      // Some wallets may not URL-encode the payload
+      console.log('[TON Connect] Payload not URL-encoded, using as-is');
+    }
 
     // CRITICAL FIX: Validate base64 payload size (prevent DoS)
     if (encoded.length === 0 || encoded.length > 5000) {
       return { type: 'unknown', data: null };
     }
 
-    // CRITICAL FIX: Validate base64 characters only
+    // CRITICAL FIX: Validate base64 characters only (after URL decoding)
     if (!/^[A-Za-z0-9_-]+$/.test(encoded)) {
       return { type: 'unknown', data: null };
     }
@@ -306,14 +315,20 @@ export function parseCallbackURL(url: string, scheme: string): {
 
 /**
  * Extract wallet info from connection response
+ * CRITICAL: This function assumes response has been validated by validateConnectionResponse
  */
 export function extractWalletInfo(
   response: ConnectionResponsePayload
 ): WalletInfo {
+  // CRITICAL FIX: Add null checks to prevent runtime errors
+  if (!response || !response.name || !response.address || !response.publicKey) {
+    throw new Error('Invalid connection response: missing required fields');
+  }
+  
   return {
     name: response.name,
-    appName: response.appName,
-    version: response.version,
+    appName: response.appName || response.name,
+    version: response.version || 'unknown',
     platform: response.platform || 'unknown',
     address: response.address,
     publicKey: response.publicKey,
@@ -360,13 +375,65 @@ export function validateTransactionRequest(
     return { valid: false, error: 'Transaction must have at least one message' };
   }
 
-  for (const msg of request.messages) {
-    if (!msg.address) {
-      return { valid: false, error: 'Message address is required' };
+  // CRITICAL: Validate each message
+  for (let i = 0; i < request.messages.length; i++) {
+    const msg = request.messages[i];
+    
+    // Validate address
+    if (!msg.address || typeof msg.address !== 'string') {
+      return { valid: false, error: `Message ${i + 1}: Address is required and must be a string` };
+    }
+    
+    // CRITICAL: Validate TON address format (EQ... or 0Q...)
+    if (!/^(EQ|0Q)[A-Za-z0-9_-]{46}$/.test(msg.address)) {
+      return { valid: false, error: `Message ${i + 1}: Invalid TON address format. Address must start with EQ or 0Q and be 48 characters long.` };
     }
-    if (!msg.amount || isNaN(Number(msg.amount))) {
-      return { valid: false, error: 'Message amount must be a valid number' };
+    
+    // Validate amount
+    if (!msg.amount || typeof msg.amount !== 'string') {
+      return { valid: false, error: `Message ${i + 1}: Amount is required and must be a string (nanotons)` };
+    }
+    
+    // CRITICAL: Validate amount is a valid positive number (nanotons)
+    try {
+      const amount = BigInt(msg.amount);
+      if (amount <= 0n) {
+        return { valid: false, error: `Message ${i + 1}: Amount must be greater than 0` };
+      }
+      // Check for reasonable maximum (prevent overflow)
+      if (amount > BigInt('1000000000000000000')) { // 1 billion TON
+        return { valid: false, error: `Message ${i + 1}: Amount exceeds maximum allowed (1 billion TON)` };
+      }
+    } catch (error) {
+      return { valid: false, error: `Message ${i + 1}: Amount must be a valid number string (nanotons)` };
     }
+    
+    // Validate payload if provided (must be base64)
+    if (msg.payload !== undefined && msg.payload !== null) {
+      if (typeof msg.payload !== 'string') {
+        return { valid: false, error: `Message ${i + 1}: Payload must be a base64 string` };
+      }
+      // Basic base64 validation
+      if (msg.payload.length > 0 && !/^[A-Za-z0-9+/=]+$/.test(msg.payload)) {
+        return { valid: false, error: `Message ${i + 1}: Payload must be valid base64 encoded` };
+      }
+    }
+    
+    // Validate stateInit if provided (must be base64)
+    if (msg.stateInit !== undefined && msg.stateInit !== null) {
+      if (typeof msg.stateInit !== 'string') {
+        return { valid: false, error: `Message ${i + 1}: StateInit must be a base64 string` };
+      }
+      // Basic base64 validation
+      if (msg.stateInit.length > 0 && !/^[A-Za-z0-9+/=]+$/.test(msg.stateInit)) {
+        return { valid: false, error: `Message ${i + 1}: StateInit must be valid base64 encoded` };
+      }
+    }
+  }
+
+  // CRITICAL: Limit maximum number of messages (prevent DoS)
+  if (request.messages.length > 255) {
+    return { valid: false, error: 'Transaction cannot have more than 255 messages' };
   }
 
   return { valid: true };

package/src/core/wallets.ts

@@ -31,7 +31,7 @@ export const SUPPORTED_WALLETS: WalletDefinition[] = [
     appName: 'Tonkeeper',
     universalLink: 'https://app.tonkeeper.com/ton-connect',
     deepLink: 'tonkeeper://',
-    platforms: ['ios', 'android'],
+    platforms: ['ios', 'android', 'web'], // CRITICAL FIX: Tonkeeper Web is supported
     preferredReturnStrategy: 'post_redirect', // CRITICAL FIX: 'back' strategy may not send callback properly, use 'post_redirect'
     requiresReturnScheme: true, // CRITICAL FIX: Mobile apps need returnScheme for proper callback handling
   },

package/src/index.ts

@@ -81,14 +81,22 @@ export class UserRejectedError extends TonConnectError {
 
 export class ConnectionInProgressError extends TonConnectError {
   constructor() {
-    super('Connection request already in progress', 'CONNECTION_IN_PROGRESS');
+    super(
+      'Connection request already in progress',
+      'CONNECTION_IN_PROGRESS',
+      'Please wait for the current connection attempt to complete before trying again.'
+    );
     this.name = 'ConnectionInProgressError';
   }
 }
 
 export class TransactionInProgressError extends TonConnectError {
   constructor() {
-    super('Transaction request already in progress', 'TRANSACTION_IN_PROGRESS');
+    super(
+      'Transaction request already in progress',
+      'TRANSACTION_IN_PROGRESS',
+      'Please wait for the current transaction to complete before sending another one.'
+    );
     this.name = 'TransactionInProgressError';
   }
 }
@@ -247,8 +255,9 @@ export class TonConnectMobile {
     console.log('[TON Connect] Parsed callback:', parsed.type, parsed.data ? 'has data' : 'no data');
 
     // CRITICAL FIX: Check for sign data response first (before other handlers)
-    if (this.signDataPromise && !this.signDataPromise.timeout) {
-      // Sign data request is pending
+    // Note: We check if promise exists and hasn't timed out (timeout !== null means not timed out yet)
+    if (this.signDataPromise && this.signDataPromise.timeout !== null) {
+      // Sign data request is pending and hasn't timed out
       if (parsed.type === 'error' && parsed.data) {
         const errorData = parsed.data as ErrorResponse;
         if (errorData?.error) {
@@ -339,12 +348,18 @@ export class TonConnectMobile {
     this.notifyStatusChange();
 
     // Resolve connection promise
+    // CRITICAL: Only resolve if promise still exists and hasn't timed out
     if (this.connectionPromise) {
+      // Clear timeout if it exists
       if (this.connectionPromise.timeout !== null) {
         clearTimeout(this.connectionPromise.timeout);
       }
-      this.connectionPromise.resolve(wallet);
+      // Store reference before clearing to prevent race conditions
+      const promise = this.connectionPromise;
+      // Clear promise first
       this.connectionPromise = null;
+      // Then resolve
+      promise.resolve(wallet);
     }
   }
 
@@ -358,15 +373,21 @@ export class TonConnectMobile {
     }
 
     // Resolve transaction promise
+    // CRITICAL: Only resolve if promise still exists and hasn't timed out
     if (this.transactionPromise) {
+      // Clear timeout if it exists
       if (this.transactionPromise.timeout !== null) {
         clearTimeout(this.transactionPromise.timeout);
       }
-      this.transactionPromise.resolve({
+      // Store reference before clearing
+      const promise = this.transactionPromise;
+      // Clear promise first to prevent race conditions
+      this.transactionPromise = null;
+      // Then resolve
+      promise.resolve({
         boc: response.boc,
         signature: response.signature,
       });
-      this.transactionPromise = null;
     }
   }
 
@@ -388,6 +409,14 @@ export class TonConnectMobile {
       this.transactionPromise.reject(error);
       this.transactionPromise = null;
     }
+    // CRITICAL FIX: Also clear signDataPromise to prevent memory leaks
+    if (this.signDataPromise) {
+      if (this.signDataPromise.timeout !== null) {
+        clearTimeout(this.signDataPromise.timeout);
+      }
+      this.signDataPromise.reject(error);
+      this.signDataPromise = null;
+    }
   }
 
   /**
@@ -769,6 +798,8 @@ export class TonConnectMobile {
   /**
    * Check if a wallet is available on the current platform
    * Note: This is a best-effort check and may not be 100% accurate
+   * CRITICAL FIX: On web, if wallet has universalLink, it's considered available
+   * because universal links can open in new tabs/windows
    */
   async isWalletAvailable(walletName?: string): Promise<boolean> {
     const wallet = walletName ? getWalletByName(walletName) : this.currentWallet;
@@ -776,10 +807,14 @@ export class TonConnectMobile {
       return false;
     }
 
-    // On web, check if wallet supports web platform
-    // eslint-disable-next-line no-undef
-    if (typeof globalThis !== 'undefined' && (globalThis as any).window) {
-      return wallet.platforms.includes('web');
+    // CRITICAL FIX: Check adapter type to reliably detect web platform
+    // WebAdapter is only used on web, so this is the most reliable check
+    const isWeb = this.adapter.constructor.name === 'WebAdapter';
+    
+    if (isWeb) {
+      // On web, if wallet has universalLink or supports web platform, it's available
+      // Universal links can open in a new tab on web
+      return wallet.platforms.includes('web') || !!wallet.universalLink;
     }
 
     // On mobile, we can't reliably check if wallet is installed

package/src/react/TonConnectUIProvider.tsx

@@ -109,7 +109,18 @@ export function TonConnectUIProvider({
   children,
   sdkInstance,
 }: TonConnectUIProviderProps): JSX.Element {
-  const [sdk] = useState<TonConnectMobile>(() => sdkInstance || new TonConnectMobile(config));
+  // CRITICAL: Initialize SDK only once
+  const [sdk] = useState<TonConnectMobile>(() => {
+    if (sdkInstance) {
+      return sdkInstance;
+    }
+    try {
+      return new TonConnectMobile(config);
+    } catch (error) {
+      console.error('[TonConnectUIProvider] Failed to initialize SDK:', error);
+      throw error;
+    }
+  });
   const [walletState, setWalletState] = useState<WalletState | null>(null);
   const [modalOpen, setModalOpen] = useState(false);
   const [isConnecting, setIsConnecting] = useState(false);
@@ -202,11 +213,24 @@ export function TonConnectUIProvider({
   // Send transaction
   const sendTransaction = useCallback(
     async (transaction: SendTransactionRequest): Promise<TransactionResponse> => {
-      const response = await sdk.sendTransaction(transaction);
-      return {
-        boc: response.boc,
-        signature: response.signature,
-      };
+      try {
+        // Validate transaction before sending
+        if (!transaction || !transaction.messages || transaction.messages.length === 0) {
+          throw new Error('Invalid transaction: messages array is required and cannot be empty');
+        }
+        if (!transaction.validUntil || transaction.validUntil <= Date.now()) {
+          throw new Error('Invalid transaction: validUntil must be in the future');
+        }
+
+        const response = await sdk.sendTransaction(transaction);
+        return {
+          boc: response.boc,
+          signature: response.signature,
+        };
+      } catch (error) {
+        console.error('[TonConnectUIProvider] Transaction error:', error);
+        throw error;
+      }
     },
     [sdk]
   );
@@ -214,11 +238,21 @@ export function TonConnectUIProvider({
   // Sign data
   const signData = useCallback(
     async (request: SignDataRequest): Promise<SignDataResponse> => {
-      const response = await sdk.signData(request.data, request.version);
-      return {
-        signature: response.signature,
-        timestamp: response.timestamp,
-      };
+      try {
+        // Validate request
+        if (!request || (!request.data && request.data !== '')) {
+          throw new Error('Invalid sign data request: data is required');
+        }
+
+        const response = await sdk.signData(request.data, request.version);
+        return {
+          signature: response.signature,
+          timestamp: response.timestamp,
+        };
+      } catch (error) {
+        console.error('[TonConnectUIProvider] Sign data error:', error);
+        throw error;
+      }
     },
     [sdk]
   );

package/src/react/WalletSelectionModal.tsx

@@ -11,7 +11,6 @@ import {
   TouchableOpacity,
   ScrollView,
   StyleSheet,
-  Image,
   Platform,
 } from 'react-native';
 import { useTonConnectUI, useTonConnectSDK } from './index';
@@ -49,20 +48,37 @@ export function WalletSelectionModal({
       setWallets(customWallets);
     } else {
       const supportedWallets = sdk.getSupportedWallets();
-      // Filter wallets for current platform
+      // CRITICAL FIX: On web, show all wallets with universalLink (they can open in new tab)
+      // On mobile, filter by platform
       const platform = Platform.OS === 'ios' ? 'ios' : Platform.OS === 'android' ? 'android' : 'web';
-      const platformWallets = supportedWallets.filter((w) => w.platforms.includes(platform));
+      let platformWallets: WalletDefinition[];
+      if (platform === 'web') {
+        // On web, show all wallets with universalLink (they can open in new tab)
+        platformWallets = supportedWallets.filter((w) => w.platforms.includes('web') || !!w.universalLink);
+      } else {
+        platformWallets = supportedWallets.filter((w) => w.platforms.includes(platform));
+      }
       setWallets(platformWallets);
     }
   }, [sdk, customWallets]);
 
   // Handle wallet selection
   const handleSelectWallet = async (wallet: WalletDefinition) => {
+    // Prevent multiple simultaneous connection attempts
+    if (connectingWallet) {
+      return;
+    }
+
     try {
       setConnectingWallet(wallet.name);
       
       // Set preferred wallet
-      sdk.setPreferredWallet(wallet.name);
+      try {
+        sdk.setPreferredWallet(wallet.name);
+      } catch (error) {
+        console.error('[WalletSelectionModal] Failed to set preferred wallet:', error);
+        // Continue anyway - SDK will use default wallet
+      }
       
       // Close modal
       onClose();
@@ -73,13 +89,9 @@ export function WalletSelectionModal({
       // Connect
       await tonConnectUI.connectWallet();
     } catch (error) {
-      console.error('Wallet connection error:', error);
+      console.error('[WalletSelectionModal] Wallet connection error:', error);
       setConnectingWallet(null);
-      // Re-open modal on error
-      onClose();
-      setTimeout(() => {
-        // Modal will be re-opened by parent if needed
-      }, 500);
+      // Error is handled by SDK/UI, just reset connecting state
     }
   };
 
@@ -121,15 +133,12 @@ export function WalletSelectionModal({
                     disabled={isConnecting}
                   >
                     <View style={styles.walletIconContainer}>
-                      {wallet.iconUrl ? (
-                        <Image source={{ uri: wallet.iconUrl }} style={styles.walletIcon} />
-                      ) : (
-                        <View style={styles.walletIconPlaceholder}>
-                          <Text style={styles.walletIconText}>
-                            {wallet.name.charAt(0).toUpperCase()}
-                          </Text>
-                        </View>
-                      )}
+                      {/* Always use placeholder to avoid web image loading issues */}
+                      <View style={styles.walletIconPlaceholder}>
+                        <Text style={styles.walletIconText}>
+                          {wallet.name.charAt(0).toUpperCase()}
+                        </Text>
+                      </View>
                     </View>
                     <View style={styles.walletInfo}>
                       <Text style={styles.walletName}>{wallet.name}</Text>

package/src/utils/transactionBuilder.ts

@@ -41,12 +41,32 @@ export function buildTransferTransaction(
   amount: number | string,
   validUntil?: number
 ): SendTransactionRequest {
+  // Validate address
+  if (!to || typeof to !== 'string') {
+    throw new Error('Recipient address is required');
+  }
+  if (!isValidTonAddress(to)) {
+    throw new Error(`Invalid TON address format: ${to}`);
+  }
+
+  // Validate amount
+  const nanoAmount = tonToNano(amount);
+  if (BigInt(nanoAmount) <= 0n) {
+    throw new Error('Transaction amount must be greater than 0');
+  }
+
+  // Validate validUntil
+  const expiration = validUntil || Date.now() + 5 * 60 * 1000; // 5 minutes default
+  if (expiration <= Date.now()) {
+    throw new Error('Transaction expiration must be in the future');
+  }
+
   return {
-    validUntil: validUntil || Date.now() + 5 * 60 * 1000, // 5 minutes default
+    validUntil: expiration,
     messages: [
       {
         address: to,
-        amount: tonToNano(amount),
+        amount: nanoAmount,
       },
     ],
   };
@@ -62,12 +82,41 @@ export function buildMultiTransferTransaction(
   transfers: Array<{ to: string; amount: number | string }>,
   validUntil?: number
 ): SendTransactionRequest {
-  return {
-    validUntil: validUntil || Date.now() + 5 * 60 * 1000,
-    messages: transfers.map((transfer) => ({
+  // Validate transfers array
+  if (!transfers || !Array.isArray(transfers) || transfers.length === 0) {
+    throw new Error('Transfers array is required and cannot be empty');
+  }
+  if (transfers.length > 255) {
+    throw new Error('Maximum 255 transfers allowed per transaction');
+  }
+
+  // Validate each transfer
+  const messages = transfers.map((transfer, index) => {
+    if (!transfer.to || typeof transfer.to !== 'string') {
+      throw new Error(`Transfer ${index + 1}: Recipient address is required`);
+    }
+    if (!isValidTonAddress(transfer.to)) {
+      throw new Error(`Transfer ${index + 1}: Invalid TON address format: ${transfer.to}`);
+    }
+    const nanoAmount = tonToNano(transfer.amount);
+    if (BigInt(nanoAmount) <= 0n) {
+      throw new Error(`Transfer ${index + 1}: Amount must be greater than 0`);
+    }
+    return {
       address: transfer.to,
-      amount: tonToNano(transfer.amount),
-    })),
+      amount: nanoAmount,
+    };
+  });
+
+  // Validate validUntil
+  const expiration = validUntil || Date.now() + 5 * 60 * 1000;
+  if (expiration <= Date.now()) {
+    throw new Error('Transaction expiration must be in the future');
+  }
+
+  return {
+    validUntil: expiration,
+    messages,
   };
 }