TON-TAC Bridge Exploit Drains $2.86M; Team Recovers 90% of Funds

TON-TAC Bridge Exploit Drains $2.86M; Team Recovers 90% of Funds

By Sebastian Omoragbon | Coin Tabloid | 23 May 2026


On May 11, TAC's cross-chain bridge connecting the TON and TAC networks fell victim to a sophisticated exploit that resulted in approximately $2.86 million in losses. The incident was triggered by a critical vulnerability in the bridge's code-hash verification system, but the development team's swift response and coordinated recovery efforts have restored confidence, with 90% of stolen assets returned by May 14 and a commitment to fully compensate all affected users.

What Happened: The Attack

On May 11 at approximately 02:20 UTC, an attacker deployed a counterfeit Jetton wallet contract on the TON network that successfully mimicked legitimate wallet functionality. The vulnerability stemmed from a fundamental flaw in the sequencer software: it lacked proper code-hash verification, allowing the attacker to bypass critical validation checks that should have rejected the fraudulent contract.

By bypassing these controls, the attacker was able to trick the bridge into accepting counterfeit tokens as valid USDT. This led to two simultaneous problems: the bridge issued unbacked equivalent assets on the TAC side while simultaneously draining locked assets from the TON side. In total, the stolen funds included USDT, BLUM, and tsTON tokens.

The attacker moved with urgency, rapidly laundering the funds across multiple blockchain networks through LayerZero's cross-chain infrastructure. The proceeds were split across Ethereum, Bitcoin, ZCash, Binance Smart Chain, and Solana—a common obfuscation tactic that complicates recovery efforts.

Detection and Immediate Response

Security did not fail entirely. Hypernative's real-time monitoring system flagged the anomaly immediately, alerting the TAC team to the breach as soon as the mismatch between TON and TAC balances became apparent. Upon confirmation, TAC made the decisive call to pause the entire sequencer connecting TAC to TON, halting all cross-chain bridge operations.

The team then initiated a coordinated response involving law enforcement, their security auditor (Seal911), and TON experts. However, the attacker's use of cross-chain bridges allowed them to move proceeds off TON and TAC faster than recovery teams could intervene.

Recovery: The Silver Lining

Despite the initial setback, the outcome has been significantly better than many high-profile bridge exploits. Following a public appeal and coordinated negotiations with involved parties, approximately 80% of assets were recovered on May 14—just three days after the incident. By May 20, when TAC released its post-mortem analysis, approximately 90% of stolen funds had been returned to a multi-signature address controlled by TAC.

The final recovery rate stood at 80.2% of total affected funds ($2.29 million recovered out of $2.85 million lost). Critically, TAC announced that its foundation will cover the remaining 10% shortfall from its treasury, ensuring no financial loss for users—a rare commitment that has become the standard only for well-capitalized projects.

Root Cause: A Verification Failure

The technical root cause was straightforward: the bridge's sequencer software lacked validation for the code hash of sender wallets. In well-designed cross-chain systems, every piece of code interacting with the bridge should have its hash verified against a whitelist of legitimate contract addresses. The attacker's counterfeit Jetton wallet exploited the absence of this check.

According to TAC's post-mortem report, the attack vector demonstrates a persistent vulnerability in bridge infrastructure: the reliance on code-hash verification as a primary security gate can be defeated by attackers deploying look-alike contracts that pass superficial checks. This underscores a broader industry challenge: cross-chain bridges remain among the highest-value targets in DeFi, and verification systems must be layered and redundant.

Operational Impact and Path Forward

The bridge suspension disrupted several TAC ecosystem features, including wallet functionality, staking-related applications, and Telegram Mini Apps that leverage the cross-chain framework. However, the TAC EVM execution layer remained fully operational throughout—a testament to the isolation of the vulnerability.

The bridge will not resume operations until it completes an independent security audit. TAC has pledged to subject the patched sequencer to external reviews and peer audits before reactivation. This measured approach, while slowing resumption, reflects a commitment to preventing a recurrence.

Market Response

News of the exploit triggered a significant market reaction. At the time of reporting, TON was trading down 8% and TAC down 3.88% on the incident. However, the relatively swift recovery of funds and the team's transparent communication have helped contain broader market panic that often follows bridge exploits.

What Users Should Know: Verification and Security Steps

For users affected by the incident:

- Verification: Check TAC's official post-mortem report and updates on whether your assets were affected. If you used the TON-TAC bridge during the incident window (before the sequencer was halted), your assets should either have been recovered or will be covered by the foundation.

- Confirmation of compensation: Monitor official TAC communications and the multi-signature address where recovered funds were consolidated. TAC will provide updates on the timeline for distributing recovered and compensated assets.

Broader security recommendations related to cross-chain bridges:

- Use established bridges with recent audits: Before using any cross-chain bridge, verify that it has undergone independent security audits by reputable firms. Audit reports should be publicly available.

- Monitor bridge security developments: Join official communities and subscribe to security updates from projects that operate cross-chain infrastructure. Early warning systems exist (as Hypernative demonstrated), but user awareness of pause announcements is critical.

- Be wary of new or unaudited bridges: The increasing sophistication of bridge exploits means that newer or less-tested bridges carry elevated risk, regardless of their claims.

- Diversify exposure: If using cross-chain bridges is necessary for your strategy, avoid concentrating large amounts in a single bridge. Spread exposure across multiple established bridges with different architectures.

Official resources and statements:

- TAC's Post Mortem Report, which includes a detailed timeline, technical analysis, fund tracing information, and remediation steps.

- Real-time monitoring: Hypernative's detection of the incident in real-time demonstrates the value of security monitoring services; users operating bridges should stay informed of such tools.

Subscribe for more news. 

How do you rate this article?

4


Sebastian Omoragbon
Sebastian Omoragbon

In the span of this sentence, someone else ran out of time. Seize the moment.


Coin Tabloid
Coin Tabloid

Writing about news, developments and airdrops across the crypto ecosystem.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.