Skip to main content
Sign in
TAC Protocol Bridge5 decisions on this page

Audit log

Every state-changing event for TAC Protocol Bridge: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-28 03:28:14Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 422,638,384
    sig
    612ZM31LPC5Q…Sh52WYmRexplorer ↗
    hash
    GF2f7nRX3gJN…ZrWMXPA8sha256 → base58
    verifying row…full verify ↗
    canonical bytes (12285 B) ▸
    {"actor":"system:backfill","investigation_id":"4bd7b8fb-8444-4e3e-98d1-702adadd3e86","kind":"publish","page_slug":"tac-protocol-bridge","published_at":"2026-05-28T03:28:14.209Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TAC Protocol Bridge","sections":[{"content":"On May 12, 2026, the TON-to-Ethereum bridge operated by TAC Protocol was drained of approximately $2.86 million, representing the protocol's entire TVL at the time. The affected assets were USDT, BLUM (a Telegram-native token), and tsTON (tokenized TON). The TAC token itself, native TON, and ERC-20 assets on the Ethereum side were reported as unaffected. TAC disclosed the vulnerability on approximately May 11, with the attack executing on May 12. By May 14, the incident was reclassified as a white-hat event after the attacker accepted a 10% bounty — reported as approximately 13 ETH plus 300 ZEC — and returned the remaining ~90% of funds to TAC's designated multisig wallet on Ethereum and a corresponding address on TON. TAC stated it would not pursue litigation against the attacker following the return of funds. The bridge was suspended pending an independent security audit conducted in collaboration with TON network partners.","heading":"Security Incident: Bridge Exploit (May 2026)","severity":"critical","sources":[{"credibility":2,"name":"TAC labels $2.8M bridge exploit a white hat incident as hacker claims 10% bounty","type":"news_article","url":"https://www.mexc.com/news/1093414"},{"credibility":2,"name":"TAC's $2.8M bridge hack reclassified as white-hat after attacker accepts 10% bounty","type":"news_article","url":"https://bingx.com/en/flash-news/post/tac-tonethereum-bridge-drained-for-m-on-may-as-hacker-accepts-percent-white-hat-bounty"},{"credibility":2,"name":"TAC Discloses TON-TAC Bridge Vulnerability, Recovers 90% of Stolen Assets","type":"news_article","url":"https://www.kucoin.com/news/flash/tac-discloses-ton-tac-bridge-vulnerability-recovers-90-of-stolen-assets"}]},{"content":"The root cause of the May 2026 exploit was a lack of input validation in the bridge's sequencer software. Specifically, the sequencer accepted a counterfeit Jetton wallet on the TON network that lacked proper code-hash and minter checks. This allowed the attacker to forge Jetton wallets and trick the bridge into processing illegitimate asset transfers. The vulnerability was isolated to native TON Jettons bridged from the TON side; Ethereum-side ERC-20 assets and the TAC native token were not at risk. The vulnerability class — missing validation in cross-chain sequencer or relayer software — is a recognized attack vector in the broader cross-chain bridge security literature. TAC stated the patched software would undergo independent audit before bridge operations resumed.","heading":"Technical Vulnerability","severity":"critical","sources":[{"credibility":2,"name":"TAC Discloses TON-TAC Bridge Vulnerability, Recovers 90% of Stolen Assets","type":"news_article","url":"https://www.kucoin.com/news/flash/tac-discloses-ton-tac-bridge-vulnerability-recovers-90-of-stolen-assets"},{"credibility":2,"name":"TAC Bridge Attack Costs $2.8M as Compensation Plan Emerges","type":"news_article","url":"https://coincu.com/tac-cross-chain-bridge-attack-2-8m-user-compensation/"}]},{"content":"TAC Protocol publicly committed to making affected users whole following the exploit. The stated recovery mechanism is a legally structured sale of TAC Foundation treasury token reserves, with proceeds directed to repaying bridge liquidity and compensating affected users. As of late May 2026, critical execution details — including timeline, token quantity to be sold, sale format, and the exact compensation percentage for affected users — had not been publicly disclosed. The success of the compensation plan is contingent on prevailing market conditions for the TAC token at the time of any sale and the size of Foundation reserves. Affected users were directed to monitor TAC's official channels for updates.","heading":"User Compensation and Recovery Plan","severity":"high","sources":[{"credibility":2,"name":"TAC labels $2.8M bridge exploit a white hat incident as hacker claims 10% bounty","type":"news_article","url":"https://www.mexc.com/news/1093414"},{"credibility":2,"name":"TAC Bridge Attack Costs $2.8M as Compensation Plan Emerges","type":"news_article","url":"https://coincu.com/tac-cross-chain-bridge-attack-2-8m-user-compensation/"}]},{"content":"Following the May 12, 2026 exploit disclosure, the TAC token declined by more than 21% over the subsequent week, with market capitalization falling from approximately $91 million before the disclosure to approximately $79 million by mid-May 2026. As of late May 2026, TAC was trading near $0.020–0.022 USD with a market capitalization of approximately $82–100 million depending on the data source. The token's all-time high was reported at approximately $0.028, placing the post-exploit price roughly 25–32% below the peak. The $2.8 million exploit represented TAC's total TVL at the time, indicating the protocol had relatively limited liquidity depth at the point of attack.","heading":"Market Impact","severity":"medium","sources":[{"credibility":2,"name":"TAC Protocol price today — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/tac-protocol/"},{"credibility":2,"name":"TAC's $2.8M bridge hack reclassified as white-hat after attacker accepts 10% bounty","type":"news_article","url":"https://bingx.com/en/flash-news/post/tac-tonethereum-bridge-drained-for-m-on-may-as-hacker-accepts-percent-white-hat-bounty"}]},{"content":"TAC Protocol is an EVM-compatible Layer-1 blockchain built on the Cosmos SDK, designed to connect Ethereum's DeFi ecosystem with the TON blockchain and Telegram's approximately one billion users. Co-founders include Pavel Altukhov and Marco Monaco. TAC is not an official Telegram or TON Foundation project; it operates independently within the TON ecosystem. The protocol raised $11.5 million in seed and strategic funding rounds led by Hack VC. TAC launched its public mainnet on or around July 15, 2025, with major DeFi protocols including Curve, Morpho, and Euler deployed at launch. Prior to launch, TAC ran an '$800 million Summoning Campaign' on Turtle Club to bootstrap liquidity. The bridge between TON and the TAC EVM chain is the central security-critical component of the architecture and was the vector exploited in the May 2026 incident.","heading":"Protocol Background and Architecture","severity":"low","sources":[{"credibility":2,"name":"TAC launches public mainnet to bring DeFi protocols like Curve and Morpho onto TON and Telegram","type":"news_article","url":"https://www.theblock.co/post/362681/tac-launches-public-mainnet-to-bring-defi-protocols-like-curve-and-morpho-onto-ton-and-telegram"},{"credibility":2,"name":"TAC mainnet launch aims to bridge Ethereum DeFi to TON — Blockworks","type":"news_article","url":"https://blockworks.co/news/tac-mainnet-launch-ethereum-ton"}]},{"content":"The TAC exploit occurred during a period of elevated cross-chain bridge attacks. PeckShield reported that bridge exploits collectively reached $328.6 million across eight major incidents in May 2026 alone. The TAC incident, at $2.86 million, was among the smaller events in this wave but was notable because it represented the entirety of the protocol's TVL. The incident underscores a recognized systemic risk in cross-chain bridge design: sequencer or relayer validation failures can be exploited to drain custodied assets without requiring a smart contract vulnerability on either connected chain.","heading":"Broader Context: Bridge Exploit Wave, May 2026","severity":"medium","sources":[{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as Peckshield Tracks 8 Major Incidents","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"}]}],"sources_used":[{"credibility":2,"name":"TAC labels $2.8M bridge exploit a white hat incident as hacker claims 10% bounty","type":"news_article","url":"https://www.mexc.com/news/1093414"},{"credibility":2,"name":"TAC's $2.8M bridge hack reclassified as white-hat after attacker accepts 10% bounty","type":"news_article","url":"https://bingx.com/en/flash-news/post/tac-tonethereum-bridge-drained-for-m-on-may-as-hacker-accepts-percent-white-hat-bounty"},{"credibility":2,"name":"TAC Protocol Bridge Hack: $2.8M Drained on TON-ETH Link","type":"news_article","url":"https://memeburn.com/hackers-drain-2-8m-from-tac-protocol-bridge-tons-defi-gateway-under-fire/"},{"credibility":2,"name":"TAC Discloses TON-TAC Bridge Vulnerability, Recovers 90% of Stolen Assets","type":"news_article","url":"https://www.kucoin.com/news/flash/tac-discloses-ton-tac-bridge-vulnerability-recovers-90-of-stolen-assets"},{"credibility":2,"name":"TAC Bridge Attack Costs $2.8M as Compensation Plan Emerges","type":"news_article","url":"https://coincu.com/tac-cross-chain-bridge-attack-2-8m-user-compensation/"},{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as Peckshield Tracks 8 Major Incidents","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"},{"credibility":2,"name":"TAC launches public mainnet to bring DeFi protocols like Curve and Morpho onto TON and Telegram","type":"news_article","url":"https://www.theblock.co/post/362681/tac-launches-public-mainnet-to-bring-defi-protocols-like-curve-and-morpho-onto-ton-and-telegram"},{"credibility":2,"name":"TAC mainnet launch aims to bridge Ethereum DeFi to TON — Blockworks","type":"news_article","url":"https://blockworks.co/news/tac-mainnet-launch-ethereum-ton"},{"credibility":2,"name":"TAC Protocol price today — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/tac-protocol/"}],"summary":"TAC Protocol is an EVM-compatible Layer-1 blockchain built on Cosmos SDK that bridges Ethereum DeFi applications to the TON blockchain and Telegram ecosystem. On May 12, 2026, its cross-chain bridge was exploited for approximately $2.86 million — the protocol's entire TVL at the time — due to missing validation in sequencer software that allowed attackers to forge Jetton wallets. The attacker subsequently accepted a 10% white-hat bounty, returning roughly 90% of stolen funds to TAC's multisig; the bridge remains paused pending an independent security audit as of late May 2026.","timeline":[{"date":"2025-06-18","event":"TAC raised $11.5 million in seed and strategic funding rounds led by Hack VC.","source":"Blockworks","source_url":"https://blockworks.co/news/tac-mainnet-launch-ethereum-ton"},{"date":"2025-07-15","event":"TAC Protocol launched its public mainnet with DeFi protocols including Curve, Morpho, and Euler deployed.","source":"The Block","source_url":"https://www.theblock.co/post/362681/tac-launches-public-mainnet-to-bring-defi-protocols-like-curve-and-morpho-onto-ton-and-telegram"},{"date":"2026-05-11","event":"TAC Protocol disclosed the existence of a security vulnerability in the TON-TAC bridge sequencer software.","source":"KuCoin News","source_url":"https://www.kucoin.com/news/flash/tac-discloses-ton-tac-bridge-vulnerability-recovers-90-of-stolen-assets"},{"date":"2026-05-12","event":"Attacker exploited missing Jetton wallet validation in the bridge sequencer, draining approximately $2.86 million in USDT, BLUM, and tsTON — TAC's entire TVL. TAC bridge paused.","source":"MEXC News","source_url":"https://www.mexc.com/news/1093414"},{"date":"2026-05-14","event":"TAC recovered approximately 90% of stolen funds to its multisig wallet after the attacker accepted a 10% white-hat bounty (reported as ~13 ETH + 300 ZEC). TAC reclassified the incident as white-hat and announced it would not pursue litigation.","source":"KuCoin News","source_url":"https://www.kucoin.com/news/flash/tac-discloses-ton-tac-bridge-vulnerability-recovers-90-of-stolen-assets"},{"date":"2026-05-14","event":"TAC announced a compensation plan based on a legally structured sale of Foundation TAC token treasury reserves to make affected users whole. Specific timeline and sale details were not disclosed.","source":"MEXC News","source_url":"https://www.mexc.com/news/1093414"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 4cd7d511-d7f8-4543-a403-771bb925f902
  2. #2reviewby reviewerreviewer
    2026-05-30 12:10:21Z
    Score: 3838 (no score change)
    The page's core factual claims — the May 12 exploit, $2.86M amount, affected assets, Jetton wallet vulnerability, 10% white-hat bounty, 90% fund recovery, and May 14 reclassification — are consistently supported by multiple independent sources. The primary disputed finding is the stated all-time high of ~$0.028, which contradicts CoinMarketCap's recorded ATH of $0.04254; the derived 25-32% post-exploit decline calculation is therefore also inaccurate. Several claims are partially supported because they rely on single-source attribution (e.g., the 13 ETH + 300 ZEC bounty breakdown), or carry editorial framing ('legally structured') that overstates the specificity of what TAC publicly disclosed. The page has significant coverage gaps around on-chain evidence, official TAC primary sources, and post-hack follow-up on the compensation and audit.
    anchoranchored
    chain
    mainnet-betaslot 423,153,670
    sig
    4jQfP5uXw7bC…otUdkzeCexplorer ↗
    hash
    8xyz7w33DLUU…oL1Cfhi4sha256 → base58
    verifying row…full verify ↗
    canonical bytes (1207 B) ▸
    {"actor":"reviewer","decided_at":"2026-05-30T12:10:21.649Z","decision":"review","investigation_id":"4bd7b8fb-8444-4e3e-98d1-702adadd3e86","new_score":38,"page_slug":"tac-protocol-bridge","prev_score":38,"reason":"The page's core factual claims — the May 12 exploit, $2.86M amount, affected assets, Jetton wallet vulnerability, 10% white-hat bounty, 90% fund recovery, and May 14 reclassification — are consistently supported by multiple independent sources. The primary disputed finding is the stated all-time high of ~$0.028, which contradicts CoinMarketCap's recorded ATH of $0.04254; the derived 25-32% post-exploit decline calculation is therefore also inaccurate. Several claims are partially supported because they rely on single-source attribution (e.g., the 13 ETH + 300 ZEC bounty breakdown), or carry editorial framing ('legally structured') that overstates the specificity of what TAC publicly disclosed. The page has significant coverage gaps around on-chain evidence, official TAC primary sources, and post-hack follow-up on the compensation and audit.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 8eed88b2-929e-4aa7-b258-2cca78d6f149
  3. #3review approveby judgejudge
    2026-05-30 12:10:21Z
    Score: 3835 (-3)
    The page's core factual claims — the May 12 exploit, $2.86M amount, affected assets, Jetton wallet validation vulnerability, 10% white-hat bounty, 90% fund recovery, and May 14 reclassification — are consistently confirmed across multiple independent sources. The single disputed finding (claim_findings[16]) involves the stated all-time high of ~$0.028, which is contradicted by CoinMarketCap's recorded ATH of $0.04254, rendering the derived 25-32% post-exploit decline calculation inaccurate. This is a peripheral market data claim, not a core allegation about the exploit itself. Seven claims are partially supported due to single-source attribution for specific details (e.g., the 13 ETH + 300 ZEC bounty breakdown in claim_findings[7]) and editorial framing not directly sourced from TAC's own disclosures. Disputed percentage of 7.7% places the page within the approval band; the small negative delta reflects the incorrect ATH figure that should be corrected in revision.
    anchoranchored
    chain
    mainnet-betaslot 423,153,675
    sig
    w9n7sNS9oVsK…JuZ1TQAsexplorer ↗
    hash
    ECqdMVr5B2q1…Yvdggu73sha256 → base58
    verifying row…full verify ↗
    canonical bytes (1340 B) ▸
    {"actor":"judge","decided_at":"2026-05-30T12:10:21.649Z","decision":"review_approve","investigation_id":"4bd7b8fb-8444-4e3e-98d1-702adadd3e86","new_score":35,"page_slug":"tac-protocol-bridge","prev_score":38,"reason":"The page's core factual claims — the May 12 exploit, $2.86M amount, affected assets, Jetton wallet validation vulnerability, 10% white-hat bounty, 90% fund recovery, and May 14 reclassification — are consistently confirmed across multiple independent sources. The single disputed finding (claim_findings[16]) involves the stated all-time high of ~$0.028, which is contradicted by CoinMarketCap's recorded ATH of $0.04254, rendering the derived 25-32% post-exploit decline calculation inaccurate. This is a peripheral market data claim, not a core allegation about the exploit itself. Seven claims are partially supported due to single-source attribution for specific details (e.g., the 13 ETH + 300 ZEC bounty breakdown in claim_findings[7]) and editorial framing not directly sourced from TAC's own disclosures. Disputed percentage of 7.7% places the page within the approval band; the small negative delta reflects the incorrect ATH figure that should be corrected in revision.","score_delta":-3,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 90c812ca-494b-48bf-ab68-6af9d9b8cae7
  4. #4reviewby reviewerreviewer
    2026-05-30 19:50:37Z
    Score: 3535 (no score change)
    The page's core factual narrative is well-supported: the May 12 exploit, $2.86M amount, affected assets (USDT/BLUM/tsTON), sequencer validation vulnerability, 10% white-hat bounty, 90% fund recovery, and bridge pause are all confirmed by multiple independent sources. The primary disputed finding is the all-time high price figure (~$0.028), which conflicts with CoinMarketCap's recorded ATH of $0.04254, making the derived 25-32% post-exploit drawdown calculation inaccurate under the most widely-used data source. Several claims are only partially supported due to single-source attribution (the 13 ETH + 300 ZEC bounty breakdown from MEXC alone) or editorial over-specification of technical details (code-hash/minter checks) that cited sources do not confirm. The PeckShield $328.6M figure is also mischaracterized as May-only losses rather than 2026 year-to-date cumulative losses. Two primary cited URLs (The Block, Blockworks) returned 403 and could not be directly verified. Critical coverage gaps include absence of on-chain evidence and reliance on exchange news aggregators rather than TAC's own primary-source disclosure.
    anchoranchored
    chain
    mainnet-betaslot 423,223,278
    sig
    5ZKBM7wD37HE…1CZ9Hrs9explorer ↗
    hash
    GneNGem39JN5…XKhM1uzssha256 → base58
    verifying row…full verify ↗
    canonical bytes (1487 B) ▸
    {"actor":"reviewer","decided_at":"2026-05-30T19:50:37.523Z","decision":"review","investigation_id":"4bd7b8fb-8444-4e3e-98d1-702adadd3e86","new_score":35,"page_slug":"tac-protocol-bridge","prev_score":35,"reason":"The page's core factual narrative is well-supported: the May 12 exploit, $2.86M amount, affected assets (USDT/BLUM/tsTON), sequencer validation vulnerability, 10% white-hat bounty, 90% fund recovery, and bridge pause are all confirmed by multiple independent sources. The primary disputed finding is the all-time high price figure (~$0.028), which conflicts with CoinMarketCap's recorded ATH of $0.04254, making the derived 25-32% post-exploit drawdown calculation inaccurate under the most widely-used data source. Several claims are only partially supported due to single-source attribution (the 13 ETH + 300 ZEC bounty breakdown from MEXC alone) or editorial over-specification of technical details (code-hash/minter checks) that cited sources do not confirm. The PeckShield $328.6M figure is also mischaracterized as May-only losses rather than 2026 year-to-date cumulative losses. Two primary cited URLs (The Block, Blockworks) returned 403 and could not be directly verified. Critical coverage gaps include absence of on-chain evidence and reliance on exchange news aggregators rather than TAC's own primary-source disclosure.","score_delta":0,"sequence_num":4,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 037906b6-249a-48ba-a8ac-d55d4c12d564
  5. #5review approveby judgejudge
    2026-05-30 19:50:37Z
    Score: 3535 (no score change)
    The core factual narrative of this page — the May 12 exploit, $2.86M loss representing full TVL, sequencer validation failure, 10% white-hat bounty, 90% fund recovery, and bridge pause — is confirmed by multiple independent sources across all critical sections. The single disputed claim (claim_findings[14]) concerns the TAC token all-time high figure (~$0.028 per the page vs. $0.04254 per CoinMarketCap), which is a market data discrepancy confined to the non-critical Market Impact section and carries no weight on the incident narrative. The unverifiable claim (claim_findings[13]) regarding the 21% weekly price decline is also limited to market data context. Eight partially supported claims involve minor editorial specificity or single-source attribution for secondary details and do not undermine the incident record. The disputed_pct of 7.1% falls within the 0–10% approval band. Two high-priority coverage gaps — absence of on-chain transaction evidence and reliance solely on exchange news aggregators rather than TAC primary sources — should be addressed in a future revision pass but do not require holding this page.
    anchoranchored
    chain
    mainnet-betaslot 423,223,281
    sig
    2SVwahhc7cAY…NvNo6PQwexplorer ↗
    hash
    3fdrteEiVuSG…zJdiC9pTsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1492 B) ▸
    {"actor":"judge","decided_at":"2026-05-30T19:50:37.523Z","decision":"review_approve","investigation_id":"4bd7b8fb-8444-4e3e-98d1-702adadd3e86","new_score":35,"page_slug":"tac-protocol-bridge","prev_score":35,"reason":"The core factual narrative of this page — the May 12 exploit, $2.86M loss representing full TVL, sequencer validation failure, 10% white-hat bounty, 90% fund recovery, and bridge pause — is confirmed by multiple independent sources across all critical sections. The single disputed claim (claim_findings[14]) concerns the TAC token all-time high figure (~$0.028 per the page vs. $0.04254 per CoinMarketCap), which is a market data discrepancy confined to the non-critical Market Impact section and carries no weight on the incident narrative. The unverifiable claim (claim_findings[13]) regarding the 21% weekly price decline is also limited to market data context. Eight partially supported claims involve minor editorial specificity or single-source attribution for secondary details and do not undermine the incident record. The disputed_pct of 7.1% falls within the 0–10% approval band. Two high-priority coverage gaps — absence of on-chain transaction evidence and reliance solely on exchange news aggregators rather than TAC primary sources — should be addressed in a future revision pass but do not require holding this page.","score_delta":0,"sequence_num":5,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 3eb7e6cf-4c1b-4034-a958-b6f2ca4b8344
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.