Skip to main content
T TON Adoption
RU
Security SECURITY · 2026

Cross-chain bridges on TON: security in 2026

Lessons from the TAC bridge drain in April 2026, how NEAR Intents and Symbiosis work, what risks remain for users on TON bridges, and how to mitigate them.

Author
TON Adoption Team · editorial
Published
5 min read

Cross-chain bridges are infrastructure you hate to use but without which DeFi doesn’t work. On TON it’s especially acute: no native stablecoins (USDT-jetton is a bridge product), Bitcoin arrives via wrap, and without bridges the ecosystem would be an isolated island.

The May TVL update shows cross-chain is the only segment with active inflows (NEAR Intents up 20% on the week). But the previous month ended with the TAC drain. Here’s what we know about TON bridge security in 2026 and how to minimise risk as a user.

How a typical bridge works

To talk security, you need the baseline mechanics. A classical cross-chain bridge:

  1. Deposit on side A. You put BTC (or USDC, or anything else) into the bridge’s smart contract on the source network.
  2. Verification. An off-chain validator set (or an on-chain proof mechanism) confirms the deposit is real.
  3. Mint on side B. The bridge’s smart contract on the target network (TON) issues a synthetic token — wBTC, USDC.e, equivalent.
  4. Return path. To get BTC back, you burn the synthetic on TON, validators confirm, the bridge releases BTC.

Vulnerabilities appear at every step:

  • Deposit. Reentrancy, incorrect accounting, fee-calculation bugs.
  • Verification. Compromise of validator private keys, bugs in signature or Merkle-proof verification.
  • Mint. Any error in mint logic (e.g., a flawed “already paid / not yet” check) leads to double payouts.
  • Contract admin. If the bridge has admin functions (pauses, upgrades), compromise of the admin key drains the full TVL.

What happened with the TAC bridge

TAC bridge is TON-side infrastructure for moving BTC through a wrapped mechanism. In April 2026 an attacker drained about $2.5M in TON via a message-verification exploit on the bridge contract. Specifically: the bridge’s incoming-message check was insufficient — the attacker was able to construct a message the contract accepted as valid, and mint themselves TON without a real deposit.

Full technical breakdown — in our TAC attack analysis. The key takeaway:

  • The problem wasn’t validator keys, it was contract logic.
  • That means even bridges with decentralised validator sets and audits can fail on a side-channel in the logic itself.
  • TAC’s post-incident response: bridge pause, tightened message validation, new audit. As of May 2026 TAC is back in operation with reduced limits.

What this means for users: even “audited” bridges aren’t a guarantee. Auditors check code against known vulnerabilities; novel vectors can slip past.

Top 5 bridges on TON: walkthrough

Symbiosis Finance

What it is: multi-chain bridge supporting 30+ networks including TON, Ethereum, BSC, Polygon, Arbitrum.

Strengths:

  • In production since 2021, 3+ years without major incidents.
  • Multiple audits (Hacken, Halborn, internal).
  • Light Client + relayer network for verification.
  • TVL on TON ~ $9M (per DeFiLlama, May 2026).

Weaknesses:

  • Parts of the relayer logic are closed-source.
  • Sometimes slow confirmations at low fees.

Verdict: suitable for regular use. More — in our Symbiosis and Allbridge piece.

NEAR Intents

What it is: intent-based architecture; not a classical bridge but a marketplace of relayers fulfilling user intents like “give X on NEAR, receive Y on TON”.

Strengths:

  • Minimised TVL — most of the time assets are in flight, not custody.
  • Atomic swaps under the hood — either the whole trade settles or rolls back.
  • Active expansion: TVL on TON up 20% in May 2026.

Weaknesses:

  • Young — mass production stress is still ahead.
  • Complex architecture — more edge cases to audit.

Verdict: promising, small amounts for now. In 6-12 months — a real leadership candidate.

Allbridge Core

What it is: bridge supporting TON and 15+ other networks.

Strengths:

  • Transparent architecture, open contract code.
  • Stablecoins as primary use case.

Weaknesses:

  • Smaller TVL, lower liquidity for large swaps.
  • Slippage can be material on large amounts.

Verdict: good for stablecoins in moderate sizes.

TAC Bridge (BTC → TON)

What it is: bridge for moving BTC into TON through a wrapped mechanism.

Strengths post-incident:

  • After the April attack the team ran an unscheduled audit and rewrote message validation.
  • Limits on large operations are tightened.

Weaknesses:

  • Fresh incident — user trust is still recovering.
  • TVL noticeably below pre-incident.

Verdict: small amounts only, not for storage. Use alternatives (wrapped BTC via Symbiosis, for example) while trust recovers.

Bridgers

What it is: aggregator/bridge for DEX swaps across networks.

Strengths: low fees, decent UX.

Weaknesses:

  • Low TVL (~$1.7M, May 2026, down 24% week).
  • Less public audit reporting.

Verdict: low priority. Better alternatives exist.

How to reduce bridge risk as a user

Four practical rules:

1. A bridge is transport, not storage. Don’t hold TVL on a bridge longer than the transition needs. If you’re moving $5000 to TON, wrap, and use in DeFi an hour later — your bridge risk is an hour. If you leave $5000 in wrapped form for six months — your bridge risk is six months.

2. Check audits and incidents. Before first use:

  • Are there audits? Who audited? When?
  • Any incidents in the last 12 months?
  • How did the bridge respond — transparently or by hiding?

10 minutes of due diligence before a large transaction goes a long way.

3. Test transfer. Before a big move, do a test of $10-50. Check the return path works too. If the bridge supports only one-way flow, or the reverse is awkward — red flag.

4. Prefer intent-based / atomic-swap architectures. Where you can use NEAR Intents or Symbiosis-with-Light-Client instead of a custodial bridge — use it. Atomicity guarantees the whole trade settles or rolls back; “received half the path and stuck” becomes impossible.

2026 evolution: where the industry’s headed

The trend of the year — shift from custodial bridges to intent-based and zk-bridges. This reduces the risk of mass TVL drain because at any moment the bridge holds minimal assets.

On TON this shows in NEAR Intents growth. On Ethereum — through zkBridge initiatives launching. Logical conclusion: in 18-24 months classical custodial bridges with large TVL will become rare; they’ll cede ground to relayer marketplaces and zk proofs.

Net takeaway

  • Cross-chain bridges on TON work, the ecosystem would be isolated without them.
  • Most trusted: Symbiosis (for multi-chain), NEAR Intents (for intent-based moves).
  • TAC bridge — operates with limits post-incident; small amounts only.
  • Main rule: a bridge is transport, not a storage location. Don’t let it hold your TVL longer than the operation needs.

Full April TAC drain analysis — here. Current DeFi picture on TON including cross-chain flows — May TVL snapshot.

Frequently asked

A bridge essentially holds assets on one network and issues synthetic versions on another. If the bridge code is exploited or its keys compromised, the attacker drains all deposits at once. Per Chainalysis and DeFiLlama, bridges are the largest exploit category in crypto: over $3 billion has been drained from bridges from 2022 through 2025.
TAC bridge is TON-side infrastructure for moving BTC through a wrapped mechanism. In April 2026 an attacker drained about $2.5M in TON via a message-verification exploit on the bridge contract. Full incident analysis — in our TAC drain piece. Specifically: insufficient validation of incoming messages on the bridge contract.
No bridge is absolutely safe. By rolled-up metrics — Symbiosis (3+ years in production, audited by Hacken and Halborn, no major incidents) and NEAR Intents (newer, but active audit cycle). Historically risky — bridges with unaudited custodial models (one key holds everything).
A classical bridge holds TVL and issues synthetics. NEAR Intents is intent-based architecture: the user says 'I want X from TON to Y on NEAR', the protocol finds a relayer who fulfils the trade, and pays them for execution. This reduces the 'drain the whole TVL at once' attack surface — because there are essentially no custodied balances.
Four rules: (1) never hold more on a bridge than you plan to move quickly (a bridge is transit, not storage); (2) before using, check audits and the protocol's incident history over the past 12 months; (3) prefer intent-based / atomic-swap architectures to classical bridges; (4) make a small test transfer before the main one.
Yes, but consciously. Without bridges you can't bring USDC from Ethereum to TON, BTC via wrap, or take profit back out. They're infrastructure-essential. The key — treat them as transport, not storage, and use only time-tested protocols.

Related

← Back to blog