TAC Cross-Chain Layer

Method: TON-side bridge vulnerability in native Jetton bridging path. Root cause: TAC's cross-chain layer (bridging assets between TON and Ethereum) was drained for ~$2.8M on the TON side. The vulnerability was isolated to native TON Jettons bridged from the TON network; the TAC token itself, native TON, and all bridged ERC-20 tokens were unaffected, per TAC's own disclosure. Specific vector at the Jetton-bridging code path has not been publicly detailed beyond this scoping. After the team offered a 10% bounty for return of funds, the attacker complied and returned 90% (~$2.52M); TAC re-classified the event as a white-hat incident and coordinated with security partners + law enforcement to pause litigation. Narrative: TAC, a cross-chain layer connecting TON and Ethereum, was drained for ~$2.8M on 2026-05-13 via a vulnerability in its TON-side Jetton bridging path. Assets affected: USDT, BLUM, tsTON. After TAC offered a 10% white-hat bounty, the attacker returned ~$2.52M (90%); the event was reclassified white-hat and litigation paused. The TAC token, native TON, and all ERC-20s bridged the other way were unaffected. Notes: White-hat resolution: attacker returned 90% ($2.52M); kept 10% ($280K) as bounty. Tokens drained: USDT, BLUM, tsTON. Litigation paused per TAC + law-enforcement coordination.