TAC Bridge Exploit: $2.8M TON-Side Loss Hits Users

TAC suffered a TON-side cross-chain incident that moved roughly $2.8 million across USDT, BLUM and tsTON before the bridge was paused. The TAC bridge exploit matters because the team later treated the event as a white-hat recovery case, turning a cross-chain breach into a test of user compensation, protocol controls and incident communication.

TAC bridge exploit hit the TON side first TAC said it identified an exploit on the TON side of its cross-chain layer that was carried out by an external attacker, according to TAC’s official May 12 incident disclosure. The team said the incident affected approximately $2.8 million across USDT, BLUM and tsTON, while TAC token, TON and ERC-20 assets bridged from Ethereum were not affected.

That scope matters. A bridge incident can quickly become a market-wide panic if users cannot tell which assets, chains or contracts are exposed. TAC’s statement narrowed the reported damage to native TON Jettons bridged from the TON network. It also said the bridge would remain paused while forensic analysis and remediation continued.

SlowMist’s public incident database mirrors the core figures, listing TAC Cross-Chain Layer on the TON side as a May 13 hack with an estimated $2.8 million loss and affected assets across USDT, BLUM and tsTON, according to SlowMist Hacked’s TAC incident entry. SlowMist also records the stated exclusion of TAC token, TON and ERC-20 assets bridged from Ethereum.

The technical risk sits inside cross-chain validation The public disclosures do not yet give enough detail to name the exact contract-level flaw. TAC described the incident as an exploit on the TON side of its cross-chain layer, while SlowMist classifies the attack method as a contract vulnerability. That leaves the strongest verified framing as a TON-side cross-chain exploit affecting specific bridged Jetton assets.

Cross-chain systems rely on message validation, asset accounting and controlled release logic. If one side accepts an invalid message, mishandles a token route or permits unauthorized movement, losses can appear even if the other side of the bridge remains intact. TAC’s claim that ERC-20 assets bridged from Ethereum were not affected suggests the impact did not hit every bridge path equally.

That is why the TAC case belongs in Web3 Fraud Files. The loss was not only a dollar figure. It was a live test of how a cross-chain protocol isolates damage when one route fails. A bridge can be technically paused, but user trust depends on whether the team can prove the exposed path was narrow and the remaining assets were safe.

On-chain recovery shifted the case toward white-hat handling Two days after the disclosure, TAC said it had positive news to share and that the exploiter had accepted its proposal to return funds to designated multisig wallets. According to TAC’s May 14 recovery update, the team coordinated with security partners and law enforcement and decided not to pursue litigation after the return process moved forward.

The recovery structure appears to follow a familiar DeFi pattern: the attacker returns most funds and receives a bounty or fee instead of facing immediate

legal escalation. Public reporting around the event described a 10% white-hat arrangement, but the safest confirmed point is TAC’s own statement that the exploiter accepted the proposal and funds were directed toward designated multisig wallets.

This does not erase the exploit. It changes the recovery path. A white-hat classification can reduce user losses, but it can also blur incentives if protocols appear to negotiate after avoidable control failures. The key question for TAC is whether the returned funds fully cover affected balances and whether the bridge logic has been changed before operations resume.

Users need clarity on compensation and bridge liquidity TAC said its focus was making users whole and restoring bridge liquidity through a legally structured sale of Foundation TAC token treasury reserves, according to the project’s May 12 disclosure. That is a concrete commitment, but users still need the final terms: who qualifies, which balances are covered, how claims are calculated and when liquidity returns.

The compensation question is especially sensitive because the exploit size was close to TAC’s visible DeFi footprint. DeFiLlama listed TAC total value locked at about $2.32 million on May 18, while TAC market capitalization appeared near $96.9 million on the same dashboard, according to DeFiLlama’s TAC chain page. Those figures show why a $2.8 million bridge event can dominate risk perception even if token-market capitalization is larger.

Cryptic Daily has seen the same pressure pattern in bridge and mint-control incidents such as the Adshares bridge exploit. When wrapped or bridged assets are affected, the market needs more than a pause notice. It needs asset-by-asset accounting, contract status, recovery wallets and a clear restart plan.

Market data shows the trust cost of the breach TAC’s token did not take the direct asset loss, according to the team, but the market still priced in security risk. CoinMarketCap showed TAC Protocol trading near $0.01968 with a market capitalization around $90.25 million and 24-hour volume near $9.5 million on May 18, according to CoinMarketCap’s TAC Protocol

page. Those figures can move quickly, but they show the project remained liquid enough for the exploit narrative to affect broader token sentiment.

The market reaction matters because cross-chain protocols sell trust as infrastructure. If users believe one bridge path can fail without clear evidence of containment, they may discount the token, avoid deposits or move liquidity elsewhere. Even if funds are returned, a paused bridge can slow activity, reduce confidence and create operational drag.

This is the same broader risk category seen in Cryptic Daily’s THORChain Asgard vault exploit. The mechanisms differ, but both cases expose a common cross-chain problem: users must rely on complex signing, validation or routing systems they cannot fully inspect in real time. When those systems fail, the first question becomes containment. The second question becomes proof.

What TAC must prove before bridge restart TAC’s next credible milestone is a full postmortem that identifies the vulnerable route, the affected contracts, the transaction path, the recovery wallets and the exact remediation applied before restart. A statement that funds were returned is helpful, but it is not the same as a complete technical explanation.

Users should watch for three concrete signals. First, TAC should publish whether the issue was a contract bug, routing validation flaw, token-specific integration failure or operational compromise. Second, the team should state whether the bridge has been audited again before reopening. Third, TAC should document the compensation process tied to USDT, BLUM and tsTON exposure.

TAC also needs to explain what happens if similar conditions appear again. A bridge pause is a useful emergency action, but it is reactive. Stronger risk controls include route-level caps, anomaly alerts, delayed withdrawals for sensitive assets, independent monitoring and public status pages that show which routes are live, paused or under review.

TAC’s recovery now depends less on whether the exploiter returned most funds and more on whether the team can publish a complete, verifiable restart plan. The next signals to watch are the official postmortem, bridge reopening conditions and the final user-compensation schedule tied to the affected TON-side assets.

This article is for informational purposes only and does not constitute financial or investment advice.

╗