BitsLab’s TonBit Again Reports Vulernability in TON VM: RUNVM Instruction May Contaminate Smart Contract
Silicon Valley, USA, May 21st, 2025,
TonBit, a subsidiary of BitsLab and TON Blockchain’s primary security assurance provider, has once again demonstrated its commitment to safeguarding the TON ecosystem by identifying and responsibly disclosing a vulnerability within the TON Virtual Machine (TVM). This discovery, which received official acknowledgment from the TON Foundation, underscores BitsLab and TonBit’s unparalleled blockchain security expertise and proactive role in fortifying decentralized networks.
The vulnerability TonBit discovered is the non‑atomic state transition vulnerability in the RUNVM instruction. An attacker can exploit the moment when a sub‑VM exhausts its gas to corrupt the parent VM’s libraries and induce subsequent call failures, ultimately causing contracts that depend on library integrity to behave abnormally.
In the link below, TonBit retains the original technical details to present the full discovery and verification process for developers, helping the community gain an in‑depth understanding of the issue and bolster awareness of similar risks.
Technical details of this vulnerability: https://www.linkedin.com/pulse/tonbit-once-again-discovers-vulnerability-ton-virtual-machine-jt0oc/
This discovery once again highlights the deep expertise of TonBit, a subsidiary of BitsLab, in security research within the TON ecosystem. TonBit has immediately submitted the technical details and mitigation plan to the TON Foundation and assisted in completing the remediation. Now, the vulnerability is fully patched.
TonBit and BitsLab recommend that all developers promptly update their dependency libraries once the official patch is released. At the same time, they incorporate more rigorous library‑integrity checks and gas‑management logic into custom contracts to prevent similar issues from being maliciously exploited. BitsLab and TonBit will continue to uphold the principle of “responsible disclosure” and, together with the community, fortify the Web3 security perimeter.
This discovery reinforces TonBit and BitsLab’s “security-first” ethos within Web3. By adhering to rigorous disclosure protocols and working transparently with ecosystem stakeholders, TonBit and BitsLab continue to set industry standards for ethical blockchain research and Web3 ecosystem security.
About TonBit
TonBit, a core sub-brand of BitsLab, is a trusted security expert and early builder within the TON ecosystem. As the Primary Security Assurance Provider (SAP) for the TON blockchain, TonBit specializes in comprehensive security audits, including Tact and FunC language audits, ensuring the integrity and resilience of projects built on TON. Officially endorsed by TON, TonBit has successfully audited numerous high-profile projects such as Catizen, Algebra, UTonic, Ton Batch Sender, TonUp, PixelSwap, Tradoor, Miniton, Thunder Finance, and nearly 20 other projects on TON, demonstrating its expertise in securing TON-based solutions.
About BitsLab
BitsLab is an organization dedicated to Web3 ecosystem security, with a mission to become a respected security authority within the industry. The organization operates three sub-brands: MoveBit, ScaleBit, and TonBit, focusing on infrastructure development and security auditing across multiple blockchain ecosystems, including Sui, Aptos, TON, BNB Chain, Starknet, and Solana. BitsLab specializes in auditing a wide range of programming languages, such as Circom, Halo2, Move, and Cairo.
As a leader in blockchain security, BitsLab has provided security auditing services to a wide range of projects, including Aptos, Tether, UniSat, and Nervos CKB. With over 400 security solutions delivered, the company has audited more than 400,000 lines of code and safeguarded $8 billion in assets for over 2 million users. BitsLab has identified critical vulnerabilities in several well-known projects and remains committed to advancing Web3 security while fostering the healthy growth of emerging ecosystems.