TonBit, a subsidiary of BitsLab, has once again discovered a critical vulnerability in the TON Virtual Machine for third time, and again received official acknowledgment from the TON team. The issue lies in the INMSGPARAM instruction, which fails to perform a null-pointer check when handling message parameters, potentially causing the TON VM to crash.

Link to TON’s official patch and acknowledgment of TonBit:
https://github.com/ton-blockchain/ton/releases/tag/v2025.06

Details of the Issue

Recently, TonBit, a subsidiary of BitsLab, discovered a critical security vulnerability in the latest TVM source code (master branch / TON v2025.04). The issue lies in the INMSGPARAM instruction, which fails to perform a null-pointer check when handling message parameters, potentially leading to a crash of the TON Virtual Machine. This vulnerability is deeply embedded within the TVM’s internal call flow, allowing an attacker to craft specially constructed message parameters that trigger a null pointer dereference during execution, causing the VM to halt. This poses a serious threat to the availability and stability of smart contract execution. The following content retains technical details for developers to analyze and mitigate accordingly.
We discovered this vulnerability before the Global Version 11 went live and immediately reported it to the Ton Core team, thereby preventing any on-chain assets from being at risk. Ton Core analyzed our report, patched the issue before official release, and awarded us a bounty along with formal thanks. We sincerely appreciate Ton Core’s professionalism and integrity.

Affected Code (in crypto/vm/tonops.cpp):

Root cause:

This line of code

Ref t = get_param(st, inmsgparams_idx).as_tuple();

does not check whether the variable t is nullptr. If register c7’s slot 0 is configured as a tuple whose 17th element is not of Tuple type, as_tuple() will return a null pointer. When that null pointer t is passed into tuple_index, it triggers a null-pointer dereference, causing the VM to crash. This critical error can be reliably reproduced in Global Version 11.

PoC code:

Reproduction Steps:

To facilitate local testing (since global_version is typically configured by the chain), we modified the VM initialization in the A run_vm_code function to set forcibly global_version to 11:

Copy the PoC code into the crypto/test/vm.cpp file.
Modify the run_vm_code function as described above to set global_version to 11.
Compile and run the test-vm executable.

Crash: The virtual machine will crash due to a null-pointer dereference.

In conclusion, TonBit, a subsidiary of BitsLab, has consistently upheld the principles of “deep security and responsible disclosure,” continuously identifying and resolving critical vulnerabilities within the core code of the TON Virtual Machine. From the non-atomic migration risk in the RUNVM instruction to the null-pointer dereference issue in the INMSGPARAM Instruction, TonBit has demonstrated strong technical expertise and a prompt response, reporting issues to Ton Core at the earliest opportunity and assisting in timely fixes. These efforts have not only effectively safeguarded on-chain assets but also enhanced the stability and reliability of the TVM. Looking ahead, TonBit will continue to work closely with Ton Core and the community to build a more robust security foundation for the Web3 ecosystem.

About TonBit

TonBit, a core sub-brand of BitsLab, is a security expert and early contributor within the TON ecosystem. As the primary Security Assurance Provider (SAP) for the TON blockchain, TonBit specializes in comprehensive security audits, covering both Tact and FunC languages, to ensure the integrity and resilience of TON-based projects.

To date, TonBit has successfully audited several well-known projects, including Catizen, Algebra, and UTonic, uncovering multiple critical vulnerabilities and demonstrating exceptional expertise in blockchain security. In addition, TonBit has hosted the TON CTF competition, which attracted widespread participation and attention, further solidifying its reputation as a leading security authority within the TON ecosystem.