On May 21, TAC released an official post-incident analysis report regarding the May 11 TON-TAC asset bridge security incident. The root cause of the vulnerability was that the sorter software lacked key validation. The total loss was approximately $2.85M (involving USDT, BLUM, and tsTON). About 90% of the stolen assets have been returned to the multi-signature addresses controlled by TAC, and the TAC Foundation will cover the remaining $288k.
Incident Root Cause and Attack Technical Details
According to TAC’s official post-incident analysis, the core vulnerability was that the sorter software did not verify whether the code hash value of the sender Jetton wallet in the incoming bridge message matched the standard Jetton wallet code. This means that any TON contract capable of producing a properly formatted bridge message—regardless of its actual code or minter—would be treated as a valid Jetton wallet.
The attack occurred around 02:20 UTC on May 11, 2026: the attacker deployed a forged Jetton wallet on TON (mimicking the appearance of a USDT wallet but without needing real liquidity support), sent a bridge message to the TAC Proxy contract, the sorter accepted the forged tokens and minted equivalent assets on TAC. The attacker then bridged these minted assets back to TON, releasing the assets that were truly locked on the TON bridge. The funds were subsequently transferred across multiple chains—including Ethereum, Bitcoin, ZCash, BSC, and Solana—through infrastructure such as LayerZero and THORChain, and further routed through privacy protocols to obfuscate their movement. After Hypernative’s real-time security monitoring detected that the TON balance did not match the TAC balance, the TAC team immediately paused the sorter and contacted law enforcement, SEAL911, and security auditors.
Confirmed Data on Asset Recovery
According to TAC’s official report, the protocol’s total loss was approximately $288k (as of 22:00 UTC on May 12, 2026). Of this, USDT was approximately $2.85M, BLUM approximately $403k, and tsTON approximately $18k.
On May 14, about 90% of the stolen assets were returned to the multi-signature addresses controlled by TAC. The actual amount recovered was $2.2907 million, with an effective recovery rate of approximately 80.2% (the difference reflects market volatility, fees, and slippage losses during cross-chain asset transfers). The remaining approximately $288k could not be recovered, including 13 ETH sent to Tornado Cash, some ZEC, and SOL that had been transferred via the Umbra privacy protocol.
Recovery Roadmap and Confirmed Next Steps
According to TAC’s official statement, cross-chain bridge recovery requires completing two preconditions: (1) the fixed sorter software passes independent review by the core auditors and experts from the TON ecosystem; and (2) using the recovered assets and the TAC Foundation’s token reserves to fill the funding gap, fully restoring transitional liquidity.
TAC confirmed that the remaining funding gap will be covered by the foundation treasury, and users and the protocol will not suffer any financial losses. After recovery, users need to take no action. Due to the need to coordinate with multiple parties, TAC said it is currently unable to provide an exact recovery timeline; subsequent updates will be published weekly through TAC’s official X account and Telegram channel. TAC also warned that any unsolicited “recovery” or “support” DMs are scams.
FAQ
What is the root cause of the TAC cross-chain bridge attack?
According to TAC’s official post-incident analysis, the root cause was that the sorter software lacked validation of the code hash of the sender Jetton wallet in incoming bridge messages, allowing an attacker to deploy a forged Jetton wallet and trigger token minting on TAC without needing real liquidity support, thereby extracting the assets that were truly locked on the TON bridge.
Will users suffer financial losses due to this incident?
According to TAC’s official statement, the remaining approximately 10% funding gap will be filled by the TAC Foundation treasury to ensure that users and the protocol do not suffer any financial losses. After recovery, users need to take no action.
When will the cross-chain bridge resume operation?
According to TAC’s official explanation, recovery requires completing two steps: the independent audit of the fixed sorter software and filling the funding gap. Due to external dependencies, TAC currently cannot provide an exact timeline; future progress updates will be shared weekly through official channels.
