TON Blockchain’s Tact Language Has Security Risks – CertiK Audit

A new security report has raised concerns about the Open Telegram Network ( TON ), a blockchain platform known for its user-friendly approach to smart contracts .

The report , conducted by Web3 security firm CertiK, highlights potential vulnerabilities in Tact, the programming language specifically designed for TON. While Tact aims to simplify development and enhance security, the audit reveals that certain coding practices could inadvertently expose smart contracts to risks .

Tact’s Hidden Security Traps

CertiK compares Tact to its predecessor, FunC, identifying frequent mistakes that developers make when using the language.

These errors can lead to transaction failures, loss of funds, and exploitable security gaps.

One of the key concerns highlighted in the report is Tact’s strict address format. The format’s inconsistencies with existing standards, such as TEP-74, could result in failed transactions or lost tokens, similar to sending a letter to an incorrect address.

CertiK also flagged challenges in managing concurrent operations. While the TON blockchain avoids vulnerabilities like reentrancy, which is common on Ethereum , its unpredictable transaction order could enable attackers to exploit timing differences, creating vulnerabilities akin to man-in-the-middle attacks .

TON’s asynchronous and parallel processing of smart contracts makes it hard to track action order. Source: CertiK

Another area of concern is data serialization. CertiK noted that developers need to explicitly organize data within smart contracts . Failure to do so could result in misinterpretations and unpredictable program behavior, comparable to assembling furniture with incomplete instructions.

The report also highlighted potential errors in Tact’s handling of numbers, which could lead to glitches if developers are not vigilant.

In addition, CertiK further emphasized the importance of managing “gas,” the fee required to execute blockchain transactions. Improper estimation and control of gas usage by developers can cause transactions to fail midway or potentially drain funds from a contract.

Crypto Hacks in 2024: $1.5 Billion Lost

Beyond the vulnerabilities in Tact, the broader crypto ecosystem continues to grapple with major security challenges.

According to a report by Immunefi, nearly $1.5 billion has been stolen in crypto-related incidents in 2024, despite a 15% drop in stolen funds compared to the previous year.

November alone saw over $71 million in digital assets vanish, bringing the year-to-date total to over $1.48 billion across 209 incidents.

One notable incident in November involved meme coin trading terminal DEXX, which suffered a private key leak . The exploit affected at least 900 users, with the majority losing less than $10,000, while one user suffered a loss exceeding $1 million.

In the same month, Delta Prime, a DeFi protocol operating on Avalanche and Arbitrum, experienced its second major exploit of the year . This incident resulted in a $4.8 million loss, following a $6 million hack in September .