Security Risks Uncovered in TON Blockchain’s Tact Language by CertiK Audit

A recent audit by Web3 security firm CertiK has raised significant concerns regarding the security of the Tact programming language used in the TON Blockchain. While Tact was designed to enhance user-friendliness and security for smart contracts, the audit reveals vulnerabilities that could expose developers and users to various risks.

Key Takeaways

• CertiK's audit highlights vulnerabilities in Tact, the programming language for TON Blockchain.
• Common coding mistakes can lead to transaction failures and security gaps.
• Strict address format inconsistencies may result in lost tokens.
• Challenges in managing concurrent operations could create exploitable vulnerabilities.
• Data serialization issues may lead to unpredictable program behavior.
• Improper gas management can drain funds or cause transaction failures.

Overview of Tact and Its Purpose

Tact is a programming language specifically designed for the TON Blockchain, aiming to simplify the development of smart contracts while enhancing security. However, the recent audit by CertiK indicates that despite its intentions, Tact may introduce new risks that developers need to be aware of.

Vulnerabilities Identified in Tact

The audit conducted by CertiK identified several key vulnerabilities in Tact:

1. Strict Address Format: Tact's address format does not align with existing standards like TEP-74, which can lead to failed transactions or lost tokens, akin to sending a letter to the wrong address.
2. Concurrent Operations Management: Although TON avoids common vulnerabilities like reentrancy found in Ethereum, the unpredictable order of transactions can create timing-related vulnerabilities, similar to man-in-the-middle attacks.
3. Data Serialization Issues: Developers must explicitly organize data within smart contracts. Failure to do so can lead to misinterpretations and erratic program behavior, much like assembling furniture without complete instructions.
4. Handling of Numbers: Errors in Tact’s number handling can lead to glitches if developers are not careful.
5. Gas Management: Improper estimation and control of gas usage can result in failed transactions or even drain funds from contracts.

Broader Security Challenges in the Crypto Ecosystem

The vulnerabilities in Tact are part of a larger trend of security challenges facing the cryptocurrency ecosystem. In 2024 alone, nearly $1.5 billion has been lost to crypto-related incidents, despite a 15% decrease in stolen funds compared to the previous year. Notable incidents include:

• DEXX Incident: A private key leak affected at least 900 users, with losses ranging from minor amounts to over $1 million for one user.
• Delta Prime Exploit: This DeFi protocol suffered a $4.8 million loss in November, following a $6 million hack earlier in the year.

Conclusion

The CertiK audit serves as a crucial reminder for developers working with the TON Blockchain and Tact programming language. Awareness of these vulnerabilities is essential to mitigate risks and enhance the security of smart contracts. As the crypto landscape continues to evolve, ongoing vigilance and proactive measures will be necessary to safeguard digital assets and maintain user trust.

Sources

• TON Blockchain's Tact Language Has Security Risks – CertiK Audit, Cryptonews.