BitsLab's TonBit accepts an exclusive interview with TON Society HK｜Continuously safeguarding the TON ecosystem's security with innovation and professionalism.

The thriving development of the TON ecosystem is always built on a solid foundation of innovation, Decentralization, and community collaboration. In this digital fertile ground, TonBit under BitsLab, as the official certified security assurance provider (SAP) of TON, steadfastly upholds the mission of being the guardian of TON network security.

TonBit has currently completed security audits for over 30 key TON projects, successfully discovering and assisting in the repair of multiple vulnerabilities on TON. At the same time, through hosting a series of events such as the TON CTF cybersecurity competition and the TON Global Hackerhouse, it continues to inject security genes into the ecosystem and bring sustained momentum to TON project innovation.

As the TON ecosystem continues to expand into multiple fields and dimensions, TonBit is leveraging its professional security technology capabilities to build a more robust security defense for the entire ecosystem. In this exclusive interview, we will take you deeper into TonBit's technological achievements and future plans.

Q1: Can you introduce TonBit and its role in the TON ecosystem?

TonBit: TonBit is the core sub-brand under BitsLab, serving as a trusted Security Assurance Provider (SAP) and early builder in the TON ecosystem. We are committed to enhancing the security of the TON infrastructure by providing comprehensive security audits, vulnerability detection, and proactive penetration testing. As an SAP officially recognized by the TON Foundation, we focus on auditing smart contracts written in Tact and FunC, ensuring that projects built on TON possess technical robustness and long-term resilience.

Q2: What services does TonBit provide for the TON ecosystem projects?

TonBit: We mainly provide two core services:

Smart Contract Audit: In-depth code review of Tact/FunC contracts

Penetration Testing: Providing proactive security assessments for Web3 projects with significant impact.

So far, we have completed security audits for over 30 TON projects, including key projects such as Tonstakers, Torch Finance, Fiva Protocol, Duckchain, Catizen, etc.

In addition, we have achieved significant results in the vulnerability mining field, having discovered and assisted in the repair of three vulnerabilities on TON, including one critical vulnerability, one medium-risk vulnerability, and one TON RUNVM vulnerability.

Q3: TonBit once hosted the TON CTF competition, what was the original intention of this event?

The TonBit: TON CTF contest aims to foster a safety-first culture in the TON ecosystem. Designed to engage and challenge security experts and developers. Contestants will be challenged using the FunC and Tact languages. We believe that the TON CTF is a valuable and interesting way for TON developers to upskill and explore the security space, driving innovation, skill development, and a deeper understanding of the FunC and Tact languages in the TON ecosystem. The event attracted more than 300 teams from more than 20 global universities and security agencies, which greatly enhanced participants' safety awareness in the TON ecosystem. This is not only a competition, but also an incubation platform for TON's future security guardians.

Q4: How does the TON Global Hackerhouse event promote ecosystem development?

TonBit: In 2025, we will jointly hold the TON Global Hackerhouse with TON official, TONX, TON Society, and TON Core, gathering global developers to build the TON ecosystem together. The event not only attracted top projects and gained millions of exposure but also promoted innovative breakthroughs in the field of Decentralization finance, fully demonstrating the practical application potential of TON as a scalable blockchain.

As the designated security guardian of the TON ecosystem, TonBit always maintains a highly vigilant stance against various potential threats. In this in-depth interview, the TonBit security team provides us with a detailed analysis of three vulnerability discoveries—from the "critical" risks that could paralyze the network to the "medium" vulnerabilities that affect system performance, as well as complex attack vectors at the virtual machine level. Each case highlights TonBit's outstanding technical strength and the security philosophy of "prevention is better than cure."

Q5: TonBit discovered a critical vulnerability in the TON virtual machine in 2024. Could you explain its impact?

TonBit: In November 2024, the official TON team officially thanked the security team TonBit under BitsLab for their work in discovering critical vulnerabilities in the TON virtual machine in its latest version update notes. If this vulnerability were to be maliciously exploited, it could lead to resource exhaustion of the virtual machine, system crashes, and consequently affect the stability of the entire TON network.

The root cause of this vulnerability lies in the risky design of nested operations in the TON virtual machine when handling contract continuations. Malicious contracts can create deeply nested continuation structures, triggering a recursive evaluation process that exhausts the host stack space of the virtual machine. This resource exhaustion attack can lead to abnormal crashes of the TON virtual machine; in simple terms, it means that without using a single TON, it can cause all Validators to go down, directly impacting the system's availability.

The TonBit team, after in-depth analysis and collaboration with Ton Core, proposed an innovative solution that can adjust the internal jump mechanism of the virtual machine, replacing recursive calls with an iterative approach, effectively preventing such attacks. This solution has been implemented in the latest version of TON, providing TON users with a safer and more stable operating experience.

Q6: How does TonBit address another vulnerability of TON light nodes?

TonBit: Similarly, in November 2024, we discovered a "Continuation parameter abuse vulnerability" in TON lightweight nodes. The core of this vulnerability is that attackers can exploit deeply nested Continuations parameters to consume the node's computing resources. In short, this is a seemingly "legitimate" request, yet it may keep the node "busy without stopping." Imagine a car that appears normal but consumes more fuel due to some hidden small issue. This is precisely the problem posed by this vulnerability – it quietly devours computing resources, affecting the overall throughput of the network.

Ultimately, we optimized the parameter processing logic to assist the TON team in enhancing the performance of light nodes, maintaining the network's smoothness and resistance to attacks.

Q7: What impact does the TON RUNVM vulnerability discovered in 2025 have?

TonBit: RUNVM instruction non-atomic state migration vulnerability. Attackers can take advantage of the moment when the sub-virtual machine exhausts gas to pollute the libraries of the parent virtual machine, causing subsequent calls to fail, ultimately leading to abnormal behavior in contracts that depend on the integrity of the libraries.

We promptly submitted the technical details and mitigation plans to the TON Foundation and assisted them in completing the repairs; we also advised all developers to update their dependencies in a timely manner after the official patch is released; at the same time, we suggested incorporating more rigorous library integrity verification and gas management logic into self-developed contracts to prevent similar issues from being maliciously exploited.

Q8: What unique advantages does TonBit have compared to other blockchain security companies?

TonBit: Our core competitiveness is reflected in three dimensions:

TON's exclusive technical expertise: not only proficient in Tact and FunC languages, but also possesses professional penetration testing and vulnerability discovery capabilities.

Deep Integration of Ecology: As the official SAP, we deeply protect the security of the TON ecosystem and have audited over 30 important projects in the TON ecosystem.

Community co-building capabilities: Enhance ecological community interaction and raise community security awareness through activities such as CTF competitions and TON Global Hackerhouse, as well as strengthen community development.

We go beyond code auditing—we are more committed to building an unbreakable ecosystem.

Q9: What are the key plans for TonBit in 2025-2026?

TonBit: We will focus on promoting three strategic directions:

Continuously safeguarding the TON ecosystem security: Continuously providing reliable security audits for projects within the TON ecosystem, developing Tact/FunC smart contract automation scanning tools, continuously strengthening penetration testing and vulnerability mining efforts, and building a security protection system for the entire ecosystem.

Industry-Academia-Research Collaboration: Establish joint laboratories with top academic institutions to carry out special research on TON ecosystem security.

Developer Empowerment Program: Continuously enhance developers' security awareness through security training courses and practical exercises - because a secure TON ecosystem starts with education as the foundation.

Conclusion: As the Primary Security Assurance Provider of the TON ecosystem, TonBit always adheres to the principle of "security first", driving the construction of a blockchain security ecosystem based on trust and powered by innovation through cutting-edge technology research and community co-construction. They will continue to deepen core security services such as smart contract auditing, vulnerability discovery, and penetration testing, while empowering ecological construction through developer education programs. Welcome to visit TonBit's official GitHub or follow the X (formerly Twitter) account for the latest security updates and technological achievements.