{"id":50227848,"url":"https://github.com/jubnzv/tolk-less","last_synced_at":"2026-06-22T16:01:36.692Z","repository":{"id":364227328,"uuid":"1246832518","full_name":"jubnzv/tolk-less","owner":"jubnzv","description":"Tolk less – fix the math! TON compiler fuzzer","archived":false,"fork":false,"pushed_at":"2026-05-22T15:51:25.000Z","size":28,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-06-12T08:04:12.833Z","etag":null,"topics":["compiler-fuzzer","emi","fuzzing","smt","tolk","ton","z3"],"latest_commit_sha":null,"homepage":"https://t.me/nowarp_io/32","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jubnzv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-22T15:51:14.000Z","updated_at":"2026-05-23T22:09:53.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jubnzv/tolk-less","commit_stats":null,"previous_names":["jubnzv/tolk-less"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/jubnzv/tolk-less","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jubnzv%2Ftolk-less","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jubnzv%2Ftolk-less/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jubnzv%2Ftolk-less/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jubnzv%2Ftolk-less/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jubnzv","download_url":"https://codeload.github.com/jubnzv/tolk-less/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jubnzv%2Ftolk-less/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34655718,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-22T02:00:06.391Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compiler-fuzzer","emi","fuzzing","smt","tolk","ton","z3"],"created_at":"2026-05-26T17:00:20.994Z","updated_at":"2026-06-22T16:01:36.686Z","avatar_url":"https://github.com/jubnzv.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":[],"readme":"# tolk-less\ntolk-less is a [Tolk](https://docs.ton.org/blockchain-basics/tolk/overview) compiler fuzzer. It demonstrates a zero-effort way to find nasty math bugs in the compiler.\n\n* **Key idea:** sound EMI mutations + bitwise diff of TVM outputs across Tolk/FunC × optimized/non-optimized builds\n* **Target:**  arithmetic miscompilations\n* **Effort:**   \u003c1 hour to vibecode a 1k-loc script, 2 hours to execute and review\n* **Result:** 13 semantic drifts in arithmetic, 6 ICEs\n\n## Usage\nClone with submodules, build `./third-party/ton` and execute:\n\n```\nSEED=0 MKL=10 MKH=20 N=195000 MD=4 MK=3 Z3=1 ABORT=0 ZINP=1 ZIT=500\npython3 tl.py\n```\n\n## Findings\n\n\u003e ⚠️ **Note**: No Tolk contracts on mainnet, no [bug bounty coverage](https://github.com/ton-blockchain/bug-bounty). Nothing exploitable.\n\nCommit: [4539cfab](https://github.com/ton-blockchain/ton/commit/4539cfabf2877e09d13032861f36c1490d13a941)\n\n### Miscompiles\n\n- [assert-K-eq-flipped](findings/assert-K-eq-flipped/README.md) — `assert(K != 0)` always throws, `assert(K == 0)` always passes\n- [bitwise-noop-keeps-denorm](findings/bitwise-noop-keeps-denorm/README.md) — `K | 0` / `K \u0026 -1` preserve a BigInt denorm and re-arm the const-shift bug family\n- [cancel-from-both-sides](findings/cancel-from-both-sides/README.md) — `K \u003e (K - a)` rewritten to `K \u003e -a`\n- [const-shift-eq-broken](findings/const-shift-eq-broken/README.md) — `(K + 0) == K` folds to false\n- [drop-const-from-add](findings/drop-const-from-add/README.md) — `a + K` silently drops K, body becomes empty\n- [if-K-eq-0](findings/if-K-eq-0/README.md) — `if (K == 0) { throw }` always throws even when K is non-zero\n- [muldiv-zeroed](findings/muldiv-zeroed/README.md) — `mulDivFloor/Ceil/Round(K, a, b)` folds to 0\n- [neg-K-vs-K-cmp](findings/neg-K-vs-K-cmp/README.md) — `(-K) \u003c K` folds to wrong constant\n- [pushnegpow2-zero](findings/pushnegpow2-zero/README.md) — Tolk emits invalid `0 PUSHNEGPOW2` bytecode\n- [repeat-skipped](findings/repeat-skipped/README.md) — `repeat (K) { body }` body silently elided\n- [ternary-inverted](findings/ternary-inverted/README.md) — `(K != 0) ? a : b` picks the wrong branch\n- [throwarg-bigimm](findings/throwarg-bigimm/README.md) — Tolk emits `\u003cbig-K\u003e THROWARG`, Fift assembler rejects\n- [while-skipped](findings/while-skipped/README.md) — `while (K != 0 \u0026\u0026 cond) { body }` body silently dropped\n\n### ICE\n\n- [tolk-bool-and-chain](findings/tolk-bool-and-chain/README.md) — `true \u0026\u0026 true \u0026\u0026 true \u0026\u0026 true \u0026\u0026 expr` crashes Tolk (`tolk.h:892`)\n- [tolk-codegen-208](findings/tolk-codegen-208/README.md) — nested `!((true||false) != true)` shape crashes Tolk (`codegen.cpp:208`)\n- [tolk-codegen-578](findings/tolk-codegen-578/README.md) — duplicated `false ? K : a` ternary + `(0\u003c\u003c3)\u003e\u003e3` shape crashes Tolk (`codegen.cpp:578`)\n- [func-stack-validate](findings/func-stack-validate/README.md) — `a + ((a + (-1 ? 0 : 1)) * 0)` crashes FunC (`func.h:1622`)\n- [func-codegen-168](findings/func-codegen-168/README.md) — `(a + (0 ? c : a*0)) * 0` crashes FunC (`codegen.cpp:168`)\n\n## Further work\nIf you are serious about spending time on this, look at:\n\n1. **Better oracles:** anything is better than the FunC oracle, some *sane* alternatives:\n  * hand-written concrete interpreter\n  * translation validation TVM/Fift→SMT for equivalence checks\n2. **Program generation** beyond constants and arithmetic\n3. **EMI synthesis:** start from the [Souper](https://github.com/google/souper) [paper](https://arxiv.org/pdf/1711.04422) and [this work](https://arxiv.org/pdf/2206.07086)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjubnzv%2Ftolk-less","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjubnzv%2Ftolk-less","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjubnzv%2Ftolk-less/lists"}