PANews reported on May 9 that TonBit, a security team under BitsLab, discovered a new vulnerability in the TON virtual machine (TVM), involving the state migration problem of the RUNVM instruction. This vulnerability may cause the smart contract operating environment to be destroyed, thereby causing contract abnormalities. Specifically, attackers can use the moment when the virtual machine gas is exhausted to destroy the key libraries of the virtual machine, causing subsequent operations that rely on these libraries to fail.
TonBit has submitted the vulnerability details and fixes to the TON Foundation and assisted in completing the fix. Developers are advised to update in a timely manner after the official patch is released, and strengthen the checks on library integrity and gas management in the contract to prevent similar issues from being maliciously exploited.
