Post-Mortem Report: TAC Bridge

‍Summary

TAC is an EVM Network extension for TON. It runs an EVM execution environment with its own consensus and native gastoken, and it comes with a crosschain framework to allow generic EVM code execution initiated with a TON transaction. It comes with a native crosschain messaging system that connects TAC and TON, and it also works for asset bridging between the two chains, using the lock&mint approach typical of Ethereum L2s or OFTs.

On May 11th 2026, approximately at 02:20 UTC, the TON ↔ TAC asset bridge experienced a code-hash verification exploit. The exploit involved deploying a contract that mimicked a legitimate jetton wallet, bypassing verification controls. As a result, the system accepted invalid inputs as legitimate USD₮ from the bridge’s perspective, leading to the issuance of unbacked equivalent assets on TAC and resulting in a loss of bridge-locked assets on the TON side.

The assets were subsequently transferred out of TON (USDT) and TAC (BLUM) via LayerZero cross-chain infrastructure and moved across multiple blockchain networks (Ethereum, Bitcoin, ZCash, BSC, Solana). Portions of the proceeds were further processed through privacy-preserving protocols and intermediary conversion layers. Assets then stabilised across BTC (Bitcoin), DAI (Ethereum), ZEC (ZCash), SOL (Solana), BNB, BLUM (BSC), and BLUM (TON). Detailed tracing information, including transactional pathways and associated indicators, are available in the Appendix II document.

Total protocol loss is approximately $2,854,486.22 as of May 12th 2026 22:00 UTC.

The real-time security monitoring system from Hypernative flagged the mismatch between TON balance and TAC balance immediately. That’s when the TAC team began investigating the issue and, after confirming the breach, decided to halt the entire sequencer set that connects TAC to TON and start collaborating with law enforcement, security auditor that audited the code, Seal911 and TON experts. Unfortunately, all this effort was not enough to stop the security incident or recover the funds the responsible party exfiltrated to other networks almost immediately.

At the same time, the temporary suspension of the bridge disrupted TON-based integrations across the TAC ecosystem, including wallet features, staking-related applications, and Telegram Mini Apps that leverage the cross-chain framework to enable access to EVM applications from TON. The TAC EVM layer remained fully operational throughout the incident.

This temporary disruption may have impacted user experience and partner integrations during the suspension period and is being addressed as part of ongoing recovery and stabilisation efforts.

Timeline and Sequence of events

11.05.2026

The attack on the TON/TAC sides was executed by a single TON address, with the proceeds consolidated to a single Ethereum receiver. The on-chain sequence was:

• Deployment of a fake jetton wallet on TON:
  EQA8rR5ofiIdpOO7l1JNSE0dthUp1AOxw0T5tO7ONIOkv9e9 - a contract that looked like a USD₮ jetton wallet from the bridge's perspective, which belongs to a wallet controlled by the unauthorized actor EQBPHhXyG_vbsAEnB6YccNhhaVc6I3ixOCc7vriaOzo4AFA8.
• Bridge message sent to the TAC Proxy contract: transaction bcc1f5c1…49154.
• Sequencer set acceptance and mint on TAC: the quorum of sequencer set accepted the fake USD₮ as valid because the software did not verify the minter code of the sender jetton wallet. This is the real bug identified. The equivalent tokens were minted on TAC to the responsible party's TAC address 0xB8D5E0a0100361fb0c67085Fc122F64de2D796BD (14 mint transactions across BLUM, USD₮, tsTON).
• Drain of the TON bridge: the responsible party bridged the minted tokens back from TAC to TON, releasing the bridge's locked assets on TON.
• Cross-chain exfiltration: USD₮ was bridged from TON to Ethereum mainnet via LayerZero (USDT0) in 13 transactions, and BLUM was bridged from TAC to BSC in 2 transactions.
• Mixing on Ethereum: the proceeds were split into DAI (held on a second ETH address), ETH (forwarded through NEAR Deposit, later withdrawn via Zcash), and WBTC (routed through THORChain to a Bitcoin address).
• Mixing on BSC: BLUM is being actively swapped into BNB and deposited into the HOT protocol; approximately 14M BLUM (52K$) remains unswapped at the time of writing.

13.05.2026

TAC Team, supported by security providers and Seal911, initiated an investigation to trace the movement of the affected funds. The analysis focused on on-chain activity and related technical signals. The investigation identified a set of indirect indicators that helped narrow down relevant clusters of activity. These findings helped establish a communication channel with an external party involved in the incident, leading to a recovery-oriented engagement process and the eventual recovery arrangement, which was publicly communicated via TAC’s official announcement.

14.05.2026

Multisigs under full control from the TAC team were quickly set up and communicated in the offer.

The responsible party executed refunding transactions after completing additional consolidations that day.

See Appendix II document for more details on the onchain activity performed during the refund.

Technical Details

To accept a token deposit from TON, each sequencer in the sequencer set reads a message from a jetton wallet that claims to hold a specific jetton (e.g., USD₮) and credits the equivalent amount on the TAC side. The correctness of this flow depends on the supermajority of the sequencers being able to prove that the sender jetton wallet is a genuine wallet for the claimed jetton.

On TON, the canonical way to prove this is to verify that:

• the sender wallet's code hash matches the standard jetton-wallet code, and
• the wallet's data (notably the minter/master address it points to) matches the expected jetton master for the claimed asset.

The TAC sequencer software performed neither check on the minter code coming from the sender jetton wallet. Any contract on TON that could format a well-formed bridge message - regardless of its actual code or its actual minter - was treated as a legitimate jetton wallet.

The exploit, therefore, required only three primitives:

1. Deploy a counterfeit jetton wallet on TON whose external surface mimics a USD₮ wallet but whose backing minter is a party-controlled. The fake wallet does not need to be backed by any real USD₮ liquidity.

2. Send a bridge message from the counterfeit jetton wallet to the TAC Proxy contract on TON, declaring an arbitrary amount of USD₮ (and analogously BLUM, tsTON or any other jetton bridged to TAC).

3. Receive the equivalent freshly minted tokens on the TAC side, then bridge them back through the legitimate bridge path to TON, which releases the genuine locked tokens to the responsible party's TON address.

Because step 3 uses the real bridge return path, the bridge's accounting on TON sees a valid withdrawal of locked assets against what it believes is a matching deposit. The drained tokens are real USD₮, BLUM, and tsTON; the only thing that was never real is the original "deposit" message.

Impact

All numbers below are taken directly from on-chain data. The responsible party's TAC address is 0xB8D5E0a0100361fb0c67085Fc122F64de2D796BD.

Headline loss

For a detailed report about the onchain transactions related to the security incident, refer to Appendix II of this document.

Post incident: On-Chain Fund Tracing

The responsible party consolidated proceeds onto a single Ethereum receiver and then split them across DAI (Uniswap), ETH (forwarded via NEAR Deposit), and WBTC (routed through THORChain to Bitcoin). BLUM was bridged separately from TAC to BSC using LayerZero OFT endpoint and is being progressively swapped to BNB and deposited into the HOT protocol.

Money flow overview

• Exploit on TON + TAC, executed from a single TON address.
• All USDT are bridged to a single Ethereum receiver.
• Split into three streams on Ethereum: DAI (held on a second ETH address), WBTC (routed to Bitcoin via THORChain), ETH (routed via NEAR Deposit, later exiting through Zcash).
• 50% of BLUM assets bridged TAC → BSC; being progressively swapped to BNB and deposited into the HOT protocol.
• other 50% of BLUM + tsTON are left on the responsible party’s address on TON Blockchain

Extracted funds recap

All funds extracted in the security incident were bridged/swapped/moved into the following destination at the time of this document:

Subtotal of funds controlled by the responsible party: 2,529,781.53$

Response and Remediation Actions

Funds tracking:

Tracking was conducted by the TAC team with support from SEAL911 and law enforcement. The on-chain movement of funds was traced and mapped, and the relevant materials have been shared with exchanges and analytics partners.

Bridge status:

TON/TAC Crosschain framework is currently paused; no assets or messages move between TON and TAC blockchains.

User communication:

Users are notified via the public telegram announcement and twitter announcement. All TAC builders and partners were notified via direct communication channels.

Security Measures:

TAC team already prepared a fix for the sequencer code:

• Enforce verification of the sender jetton wallet's code hash against the canonical jetton-wallet code on every inbound bridge message.
• Verify that the sender jetton wallet's data points to the expected minter (jetton master) for the claimed asset.
• Reject any inbound message whose sender wallet cannot be proven to be the canonical jetton wallet for the declared asset.
• Expand the real-time monitoring with more behavioral controls related to mint volumes per minter and per source jetton wallet

The release and reopening of the crosschain framework will require multiple steps, as described in the next section.

RECOVERY

Investigation activities and subsequent recovery efforts resulted in the recovery of approximately 90% of the affected assets that remained accessible at the time of the incident response.

The full set of recovered assets under the control of the TAC team is the following:

Summary of total recovered funds: 2,290,687.90 USD

As part of the negotiated recovery process, a portion of the affected assets was not recovered and remained outside TAC-controlled addresses following the incident response process:

• 300 ZEC, partially shielded, on t1h6NcBAciYGdaVb4Ej1AELTx1D9UF9WUDr
• 13 ETH on Ethereum, moved into Tornado Cash pool
• 1007 SOL were bridged to 5iUJeMixRp2AP88DJ8Ud4Z4qkrYFUQSLgpVaj64ALgPw and subsequently deposited into the privacy protocol Umbra. A portion of the funds was later observed moving to additional addresses, including HAxKVDEgmnNGaaRHBU4J579RXCuoEGP9iqUKuD2snBwv and 4vBBFZwJHmLZqZRZX1nM2UwPqE9qVaPqiKpWesaNCjca.

At the time of the incident response process, a subset of the affected assets was estimated at approximately USD 287,915.79, representing approximately 10.07% of the total protocol loss. The difference between this subset and the broader loss figures was attributable to market volatility, swap slippage, bridge and transaction fees, and asset value fluctuations incurred throughout the multi-chain asset movement process.

The recovery process resulted in the return of a substantial portion of the affected assets through coordinated recovery efforts. The final net recovery amounted to USD 2,290,687.90 out of the total protocol loss of USD 2,854,486.22, resulting in an effective recovery rate of approximately 80.2% of the total affected funds.

At the time of the incident response process (12 May 2026), the estimated value of assets under external control was approximately USD 2,529,781.53.

Refer to Appendix II document for more details about the onchain traces that led to the recovery of the funds.

Lessons Learned

Verify TON jetton-wallet provenance, always.

On TON, a contract claiming to be a jetton wallet for asset X cannot be trusted solely on the basis of its messages. A recommended validation approach is to verify both (a) the code hash of the sender is the canonical jetton-wallet code, and (b) the wallet's data points to the expected jetton master for X. Any contract that omits either check is susceptible to the impersonation pattern observed in this incident.

Stay up to date with TON documentation changes

The TAC sequencer software was audited by a top-tier independent auditor and shipped in March 2025. Subsequent updates to TON documentation elevated “verify sender jetton wallet code hash” to a baseline validation requirement. Validation practices have since been updated to incorporate a scheduled engineering process for tracking and integrating TON documentation changes against the existing codebase. This process replaces prior developer-initiated review practices.

Monitoring, Alerting and Per-minter rate limits and supply invariants are second-line defences, possibly more important than audits.

Even with correct verification, anomalous mint volumes - measured per minter, per source wallet, and per unit time - should trigger SOC alerts and ideally automatic circuit breakers. The exploit minted approximately 302M BLUM in only five transactions; rate-based active monitoring would have surfaced immediately for faster reaction.

Next Steps

• Develop and test the patched inbound-validation path on the sequencer software (code-hash + minter check).
• Independent review of the fix by the core auditor.
• Peer review of the fix with TON experts partners.
• Distribution and deployment of the patched software to the entire existing sequencer set
• Fully recover bridge liquidity by deploying the recovered funds and completing the imbalance using TAC Foundation’s treasury reserve.
• Detailed plan of transactions (swaps, bridges) necessary to bring back all recovered funds on TON blockchain and TON assets
• Keep publishing follow-up updates on all the previous steps to ensure the highest level of transparent communication with the TON community, which TAC is part of.

Closing Remarks

Securing cross-chain frameworks is a continuous, collective challenge across DeFi. Multi-chain asset flows introduce technical vectors that require proactive security measures. TAC’s response, including monitoring, investigation, and user reimbursement, is aligned with industry standards.

We also emphasize the importance of cooperation with law enforcement, regulatory authorities, and infrastructure partners in addressing and mitigating such incidents, and we follow this approach in this case, including engagement with relevant authorities as appropriate.

We acknowledge the occurrence of the incident and have taken responsibility for its resolution and remediation efforts. The majority of the extracted funds was recovered through direct engagement during the incident response process. Any remaining shortfall will be covered by the TAC Foundation treasury, ensuring that neither affected users nor the protocol bears any financial impact from this incident.

The patched sequencer is currently under independent review by our core auditor and undergoing peer review with TON ecosystem experts prior to staged redeployment. In parallel, we are working to release per-minter rate limits, supply invariants, and automated circuit breakers as a second-line defense. We are also expanding the TAC security team and reframing the bug bounty program.

We would like to thank Seal911 and our independent auditor for their on-chain tracing and forensic support, as well as ecosystem partners who provided technical assistance during the incident response. We also acknowledge the cooperation of industry exchanges and infrastructure providers in monitoring and flagging suspicious flows, as well as the affected protocols and their communities for their patience throughout this process.

Follow-up updates on liquidity restoration and the patched rollout will be published through TAC’s official channels on a weekly cadence until full restoration is complete.

Appendix: Key Addresses

Appendix II: detailed incident onchain analysis and tracing
The detailed incident onchain analysis and post incident tracing is available as an appendix at this link. It includes all the links to blockexplores for all the onchain transactions that the TAC team was able to recreate internally and with the help of Seal911 team.

‍