BitsLab's TonBit uncovers critical vulnerability in TON Virtual Machine again, receiving official recognition from TON
TechFlow Selected TechFlow Selected
BitsLab's TonBit uncovers critical vulnerability in TON Virtual Machine again, receiving official recognition from TON
TonBit, as the core sub-brand of BitsLab, is a security specialist and early builder within the TON ecosystem.
Navigating Web3 tides with focused insightsAuthor: TonBit
Introduction:
TonBit, a subsidiary of BitsLab, has once again discovered a critical vulnerability in the TON Virtual Machine (TVM) and received official recognition from the TON Foundation: the INMSGPARAM instruction fails to perform null pointer validation when processing message parameters, potentially causing the TON Virtual Machine to crash.
Official TON patch and acknowledgment of TonBit:
https://github.com/ton-blockchain/ton/releases/tag/v2025.06
Recently, TonBit identified a severe security flaw in the latest TVM source code (master branch / TON v2025.04)—the INMSGPARAM instruction does not validate for null pointers when handling message parameters, which could lead to a crash of the TON Virtual Machine. This vulnerability is deeply embedded within the TVM's internal call chain. Attackers can exploit it by crafting special message parameters that trigger a null pointer dereference during VM execution, resulting in execution interruption and severely affecting the availability and stability of smart contract operations. The technical details below are preserved for developers' in-depth analysis and prevention.
We discovered this vulnerability before the rollout of TVM11 and immediately reported it to Ton Core, thereby preventing any on-chain assets from being exposed to risk. Ton Core carefully analyzed our report, fixed the issue prior to the official release, and awarded us a bounty along with public recognition. We sincerely appreciate Ton Core’s professionalism and commitment to responsible coordination.
Affected code (located in crypto/vm/tonops.cpp):
Root Cause:
The line:
Ref t = get_param(st, inmsgparams_idx).as_tuple();
does not check whether the variable t is a nullptr. If slot 0 of register c7 is configured with a tuple whose 17th element is not of type Tuple, the as_tuple() method will return a null pointer. When this null pointer t is passed into tuple_index, it triggers a null pointer dereference, crashing the virtual machine. This critical error can be stably reproduced under Global Version 11.
POC Code:
To facilitate local testing (since global_version is typically controlled by chain configuration), we modified the VM initialization in the run_vm_code function to forcibly set global_version to 11:
Copy the PoC code into the file crypto/test/vm.cpp.
Modify run_vm_code as described above to set global_version to 11.
Compile and run the test-vm executable.
Crash:
The VM crashes due to null pointer dereference:
In summary, TonBit under BitsLab consistently adheres to the principle of "deep expertise in security, responsible disclosure," continuously uncovering and helping fix critical vulnerabilities in the core TON Virtual Machine codebase. From the non-atomic migration issue in the RUNVM instruction to the current null pointer dereference in INMSGPARAM, TonBit has leveraged its technical expertise and rapid response capability to promptly report findings to Ton Core and assist in remediation. These efforts have not only effectively safeguarded on-chain assets but also enhanced the stability and reliability of TVM. Moving forward, TonBit will continue to collaborate closely with Ton Core and the community to build a stronger Web3 security foundation.
About TonBit
TonBit, a core brand under BitsLab, is a security expert and early contributor within the TON ecosystem. As a primary security provider for the TON blockchain, TonBit specializes in comprehensive security audits, including those for Tact and FunC languages, ensuring integrity and resilience for TON-based projects. To date, TonBit has successfully audited multiple high-profile projects such as Catizen, Algebra, and UTonic, identifying several critical vulnerabilities and demonstrating its exceptional capabilities in blockchain security. Additionally, TonBit organized the TON CTF competition, attracting widespread participation and attention, further solidifying its position as a leading security authority in the TON ecosystem. Going forward, TonBit remains committed to advancing blockchain security and supporting the continuous development of technology and the broader ecosystem.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@tonbit_
