docs: add new page for Security audits

Author: novusnota

.github/workflows/external-links.yml

@@ -1,4 +1,4 @@
-name: Link check
+name: External link check
 
 on:
   workflow_dispatch: # on demand launches, if needed
@@ -22,9 +22,15 @@ jobs:
             --exclude '\.(?:jpg|png)$'
             docs/README.md './docs/**/*.mdx'
           output: "/dev/stdout"
-          fail: false
+          fail: true
           failIfEmpty: false
 
+  linkcheck-dev:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: (dev-docs) Check broken HTTP(S) links
         uses: lycheeverse/lychee-action@v2
         id: lychee_dev
@@ -34,5 +40,5 @@ jobs:
             --exclude-path node_modules --exclude-path docs
             './**/*.md'
           output: "/dev/stdout"
-          fail: false
+          fail: true
           failIfEmpty: false

README.md

@@ -14,6 +14,11 @@ A next-gen smart contract language for TON focused on efficiency and simplicity.
 - [Tact Documentation](https://docs.tact-lang.org)
 - [Awesome Tact](https://github.com/tact-lang/awesome-tact)
 
+## Integrity
+
+- [Security audit of Tact by the Trail of Bits (2025, PDF)](https://tact-lang.org/assets/pdfs/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+  - Backup link: [PDF Report](https://github.com/tact-lang/website/blob/416073ed4056034639de257cb1e2815227f497cb/pdfs/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+
 ## Community
 
 - [Tact Discussion Group](https://t.me/tactlang)

dev-docs/CHANGELOG.md

@@ -88,6 +88,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Forbid traits inherit implicitly from BaseTrait: PR [#1591](https://github.com/tact-lang/tact/pull/1591)
 - Forbid the `override` modifier for constants without the corresponding super-constant: PR [#1591](https://github.com/tact-lang/tact/pull/1591)
 - Remove "remainder" from error messages: PR [#1699](https://github.com/tact-lang/tact/pull/1699)
+- Check map types for `deepEquals` method: PR [#1718](https://github.com/tact-lang/tact/pull/1718)
 
 ### Docs
 
@@ -124,7 +125,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed the notion of the non-standard TL-B syntax `remainder<X>`: PR [#1599](https://github.com/tact-lang/tact/pull/1599)
 - Added description of `.boc`, `.ts`, `.abi`, `.pkg` files and completed Compilation page: PR [#1676](https://github.com/tact-lang/tact/pull/1676)
 - Marked gas-expensive functions and expressions: PR [#1703](https://github.com/tact-lang/tact/pull/1703)
-- Check map types for `deepEquals` method: PR [#1718](https://github.com/tact-lang/tact/pull/1718)
+- Added a Security audits page, with the first assessment from the Trail of Bits: PR [#1791](https://github.com/tact-lang/tact/pull/1791)
 
 ### Release contributors
 

docs/astro.config.mjs

@@ -285,6 +285,7 @@ export default defineConfig({
 					},
 					items: [
 						{ slug: 'ecosystem' },
+						{ slug: 'ecosystem/security-audits' },
 						{
 							label: 'Tools',
 							translations: { 'zh-CN': '工具' },

docs/src/content/docs/cookbook/dexes/stonfi.mdx

@@ -85,7 +85,7 @@ struct SwapAdditionalData {
 }
 ```
 
-The [STON.fi SDK](https://github.com/ston-fi/sdk) defines some [constants to deal with fees](https://github.com/ston-fi/sdk/blob/786ece758794bd5c575db8b38f5e5de19f43f0d1/packages/sdk/src/contracts/dex/v2_1/router/BaseRouterV2_1.ts). Note that these are hardcoded values, but the best practice is to [calculate fees dynamically using current config params](https://docs.ton.org/v3/guidelines/smart-contracts/fee-calculation) instead.
+The [STON.fi SDK](https://github.com/ston-fi/sdk) defines some [constants to deal with fees](https://github.com/ston-fi/sdk/blob/1c8c6678858956f6d9a0e70b9f80628319dbe2ce/packages/sdk/src/contracts/dex/v2_1/router/BaseRouterV2_1.ts). Note that these are hardcoded values, but the best practice is to [calculate fees dynamically using current config params](https://docs.ton.org/v3/guidelines/smart-contracts/fee-calculation) instead.
 
 ```tact
 /// Hardcoded fee value to pay for sending a message to the Jetton wallet

docs/src/content/docs/ecosystem/index.mdx

@@ -11,7 +11,18 @@ Here are its main contents:
 
 <Steps>
 
-1. #### Tools
+1. #### Security audits
+
+   In addition to optimizing gas usage and reducing fees, the security of the Tact ecosystem is of utmost priority. Which is why there's a dedicated page for miscellaneous security audits, assessments and reports for the Tact compiler and Tact smart contracts.
+
+   <CardGrid>
+     <LinkCard
+       title="Go to Security audits"
+       href="/ecosystem/security-audits"
+     />
+   </CardGrid>
+
+2. #### Tools
 
    Tools is a list of official and community-made tools made specifically for Tact, or whose that play along with the language and other tools. Each tool has a brief usage details and additional information, which sometimes is missing from the respective docs or is a convenient summary available only in the Tact documentation.
 

docs/src/content/docs/ecosystem/security-audits.mdx

@@ -0,0 +1,27 @@
+---
+title: Security audits
+description: "Various security assessments, audits and reports for Tact compiler, Tact smart contracts and other things in Tact ecosystem"
+---
+
+In addition to optimizing gas usage and reducing fees, the security of the Tact ecosystem is paramount. This includes the safety of the Tact compiler, other Tact-related tools and smart contracts written in Tact.
+
+This page lists various security assessments, audits, and reports for the Tact compiler, Tact smart contracts and other things in the Tact ecosystem.
+
+## Tact compiler {#compiler}
+
+### 2025-01: Security Assessment by Trail of Bits {#202501-trailofbits-tact}
+
+The security audit for Tact 1.5.0 has been completed by [Trail of Bits](https://www.trailofbits.com/), a leading Web3 security firm.
+
+By the end, no high-severity vulnerabilities were found. That said, some bugs and points of improvement were discovered and addressed in a new [Tact 1.5.4 bugfix release][1.5.4].
+
+The complete report is available on the Trail of Bits GitHub repository, as well as on the Tact website and its repo as a backup:
+
+* [Original PDF, Trail of Bits repo](https://github.com/trailofbits/publications/blob/master/reviews/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+* [Same PDF, Tact website](https://tact-lang.org/assets/pdfs/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+* [Same PDF, a backup in the website repo](https://github.com/tact-lang/website/blob/416073ed4056034639de257cb1e2815227f497cb/pdfs/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+
+Upgrade to the newest Tact version: [Compiler upgrades](https://docs.tact-lang.org/book/compile/#upgrades).
+
+[1.5.0]: https://www.npmjs.com/package/@tact-lang/compiler/v/1.5.0
+[1.5.4]: https://www.npmjs.com/package/@tact-lang/compiler/v/1.5.4

docs/src/content/docs/ecosystem/typescript.mdx

@@ -2,8 +2,8 @@
 title: TypeScript libraries
 description: "The compiler of Tact automatically generates wrapper code for use with @ton/ton and @ton/core libraries"
 prev:
-  link: /ecosystem
-  label: Ecosystem overview
+  link: /ecosystem/security-audits
+  label: Security audits
 ---
 
 The Tact language has built-in support for the [@ton/ton](https://github.com/ton-org/ton) and [@ton/core](https://github.com/ton-org/ton-core) TypeScript libraries. The compiler automatically generates code for these libraries, so you can use [@tact-lang/emulator](https://github.com/tact-lang/tact-emulator) or [@ton/sandbox](https://github.com/ton-org/sandbox), that work on top of them.

docs/src/content/docs/ref/core-debug.mdx

@@ -21,7 +21,7 @@ The algorithm for generating the exit code works as follows:
 
 * First, the [SHA-256](https://en.wikipedia.org/wiki/SHA-2#Hash_standard) hash of `error` message [`String{:tact}`][p] is obtained.
 * Then, its value is read as a 32-bit [big-endian](https://en.wikipedia.org/wiki/Endianness) number modulo $63000$ plus $1000$, in that order.
-* Finally, it's put into the `.md` compilation report file, which resides with the other compilation artifacts in your project's `outputs/` or `build/` directories.
+* Finally, it's put into the [`.md` compilation report file](/book/compile#report), which resides with the other compilation artifacts in your project's `outputs/` or `build/` directories.
 
 The generated exit code is guaranteed to be outside the common $0 - 255$ range reserved for TVM and Tact contract errors, which makes it possible to distinguish exit codes from `require(){:tact}` and any other [standard exit codes](/book/exit-codes).
 

docs/src/content/docs/zh-cn/book/exit-codes.mdx

@@ -451,7 +451,7 @@ nativeSendMessage(emptyCell(), 0); // won't fail in compute phase,
 
 ### 35: Invalid source address in outbound message {#35}
 
-如果出站消息中的源地址不等于[`addr_none`](https://docs.ton)。 rg/develop/data forms/msg-tlb#addr_none00，或是引发此消息的合约地址， 退出码 $35$ 出错：\`出站消息中无效的源地址'。
+如果出站消息中的源地址不等于[`addr_none`](https://docs.ton.org/develop/data-formats/msg-tlb#addr_none00)，或是引发此消息的合约地址， 退出码 $35$ 出错：\`出站消息中无效的源地址'。
 
 ### 36: Invalid destination address in outbound message {#36}
 

docs/src/content/docs/zh-cn/book/security-best-practices.mdx

@@ -101,7 +101,7 @@ throw(1);
   2. 一旦收到所有哈希，参与者就公布其原始数字。
   3. 结合公开的数字（例如，将它们相加）以生成一个安全的随机值。
 
-有关更多详细信息，请参阅 [TON 文档中的安全随机数生成页面](https://docs.ton.org/guidelines/smart-contracts/security/random-number-generation)。
+有关更多详细信息，请参阅 [TON 文档中的安全随机数生成页面](https://docs.ton.org/v3/guidelines/smart-contracts/security/random-number-generation)。
 
 ##### Don'ts ❌
 

docs/src/content/docs/zh-cn/cookbook/dexes/dedust.mdx

@@ -12,11 +12,11 @@ sidebar:
 - [接收消息](/zh-cn/book/receive/)
 - [发送消息](/zh-cn/book/send/)
 - [可替代代币（Jettons）](/zh-cn/cookbook/jettons/)
-- [DeDust Docs: Concepts](https://docs.edust.io/docs/concepts)
+- [DeDust Docs: Concepts](https://docs.dedust.io/docs/concepts)
 
 ## Swaps
 
-阅读更多关于 [DeDust 文档](https://docs.edust.io/docs/swaps)中的swaps。
+阅读更多关于 [DeDust 文档](https://docs.dedust.io/docs/swaps)中的swaps。
 
 :::caution
 
@@ -73,7 +73,7 @@ struct SwapParams {
 ### 将 Toncoin 兑换为任意 Jetton
 
 :::note
-以下指南使用了 [Jetton Vault](https://docs.dedust.io/docs/concepts#vault)。 要获取您的Jetton地址，请参阅[本指南](https://docs.edust.io/docs/swaps#step-1-find-the-vault-scale)。
+以下指南使用了 [Jetton Vault](https://docs.dedust.io/docs/concepts#vault)。 要获取您的Jetton地址，请参阅[本指南](https://docs.dedust.io/docs/swaps#step-1-find-the-vault-scale)。
 :::
 
 ```tact
@@ -220,7 +220,7 @@ message(0xf8a7ea5) JettonTransfer {
 
 为了向特定的DeDust池提供流动资金，您必须提供这两种资产。 然后，池将向存款人地址颁发特别 _LP tokens_。
 
-阅读更多关于[DeDust文档](https://docs.edust.io/docs/life-production)中的流动资金配置。
+阅读更多关于[DeDust文档](https://docs.dedust.io/docs/life-production)中的流动资金配置。
 
 ```tact
 import "@stdlib/deploy";

docs/src/content/docs/zh-cn/cookbook/nfts.mdx

@@ -142,7 +142,7 @@ contract Example {
 
 ## 获取 NFT 静态信息
 
-请注意，TON Blockchain 不允许合约相互调用 [getters](https://docs.tt-lang.org/book/contracts#getter-functions)。
+请注意，TON Blockchain 不允许合约相互调用 [getters](https://docs.tact-lang.org/book/contracts#getter-functions)。
 要从另一个合约接收数据，您必须交换消息。
 
 ```tact

docs/src/content/docs/zh-cn/ecosystem/misti.mdx

@@ -7,14 +7,14 @@ description: 静态分析测验合约、自定义探测器和CI/CD 集成
 
 ## 什么是Misti？
 
-- **静态程序分析**：Misti 在不执行代码的情况下对代码进行分析，通过检查结构和语法来扫描[漏洞和安全缺陷](https://nowarp.github.io/tools/misti/docs/detectors)。  这种方法可以及早发现问题，防止问题影响生产。
+- **静态程序分析**：Misti 在不执行代码的情况下对代码进行分析，通过检查结构和语法来扫描[漏洞和安全缺陷](https://nowarp.io/tools/misti/docs/detectors)。  这种方法可以及早发现问题，防止问题影响生产。
 
-- **自定义探测器**：创建 [自定义探测器](https://nowarp.github.io/tools/misti/docs/hacking/custom-detector)，根据您的特定需求定制 Misti。 这有助于识别通用工具可能会遗漏的漏洞，确保对代码进行彻底审查。
+- **自定义探测器**：创建 [自定义探测器](https://nowarp.io/tools/misti/docs/hacking/custom-detector)，根据您的特定需求定制 Misti。 这有助于识别通用工具可能会遗漏的漏洞，确保对代码进行彻底审查。
 
-- **CI/CD 集成**：[集成](https://nowarp.github.io/tools/misti/docs/tutorial/ci-cd) Misti 到您的 CI/CD 管道中，以确保持续的代码质量检查，在问题进入生产之前将其捕获。
+- **CI/CD 集成**：[集成](https://nowarp.io/tools/misti/docs/tutorial/ci-cd) Misti 到您的 CI/CD 管道中，以确保持续的代码质量检查，在问题进入生产之前将其捕获。
 
 ## 资源
 
 - [Github](https://github.com/nowarp/misti)
 - [Telegram Community](https://t.me/misti_dev)
-- [Misti文档](https://nowarp.github.io/docs/misti/)
+- [Misti文档](https://nowarp.io/tools/misti/)

docs/src/content/docs/zh-cn/ref/core-advanced.mdx

@@ -586,7 +586,7 @@ parsedVarAddr.address.loadUint(123); // 345
 [cell-hash]: /zh-cn/ref/core-cell#cellhash
 [nanotoncoin]: /zh-cn/book/integers#nanotoncoin
 [tvm]: https://docs.ton.org/learn/tvm-instructions/tvm-overview
-[basechain]: https://docs.ton.org/v3/concepts/ton-blockchain/smart-contract-addresses#address-components
+[basechain]: https://docs.ton.org/v3/documentation/smart-contracts/addresses#workchain-id
 [deduplication]: https://docs.ton.org/v3/documentation/data-formats/tlb/library-cells
 [storage-fee]: https://docs.ton.org/v3/documentation/smart-contracts/transaction-fees/fees-low-level#storage-fee
 [storage-fee-calc]: https://docs.ton.org/v3/guidelines/smart-contracts/fee-calculation#storage-fee

docs/src/content/docs/zh-cn/ref/core-common.mdx

@@ -93,12 +93,12 @@ fun context(): Context;
 
 返回 `Context{:tact}` [Struct](/zh-cn/book/structs-and-messages#structs)，包含：
 
-| 字段        | 类型                        | 描述                                                                                                                                                                                                                                                    |
-| :-------- | :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `bounced` | [`Bool{:tact}`][bool]     | 传入消息的[Bounced](https://ton.org/docs/learn/overviews/addses#bounceable-vs-non-ounceable-addresses) 标志.                                                                                                                                                 |
-| `sender`  | [`Address{:tact}`][p]     | 发送方在 TON 区块链上的内部地址。                                                                                                                                                                                                                                   |
-| `value`   | [`Int{:tact}`][int]       | 信息中 [nanoToncoins](/zh-cn/book/integers#nanotoncoin) 的数量。                                                                                                                                                                                                   |
-| `raw`     | [`Slice{:tact}`][slice]   | 信息的其余部分作为 [`Slice{:tact}`][slice]。 它遵循 TON 的 [内部消息布局](https://docs.ton.org/develop/smart-contracts/messages#message-layout)，从目标 [`Address{:tact}`][p] (`dest:MsgAddressInt` 在 [TL-B 记法](https://docs.ton.org/develop/data-formats/tl-b-language)) 开始。 |
+| 字段      | 类型                      | 描述
+| :-------- | :------------------------ | :---
+| `bounced` | [`Bool{:tact}`][bool]     | 传入消息的[Bounced](https://ton.org/docs/learn/overviews/addresses#bounceable-vs-non-bounceable-addresses) 标志.
+| `sender`  | [`Address{:tact}`][p]     | 发送方在 TON 区块链上的内部地址。
+| `value`   | [`Int{:tact}`][int]       | 信息中 [nanoToncoins](/zh-cn/book/integers#nanotoncoin) 的数量。
+| `raw`     | [`Slice{:tact}`][slice]   | 信息的其余部分作为 [`Slice{:tact}`][slice]。 它遵循 TON 的 [内部消息布局](https://docs.ton.org/develop/smart-contracts/messages#message-layout)，从目标 [`Address{:tact}`][p] (`dest:MsgAddressInt` 在 [TL-B 记法](https://docs.ton.org/develop/data-formats/tl-b-language)) 开始。
 
 示例用法：
 

docs/src/content/docs/zh-cn/ref/evolution/overview.mdx

@@ -48,4 +48,4 @@ TON 增强提案的主要目标是提供一种便捷且正式的方式来提议
 
 ## 更新日志
 
-主 Tact 代码库的所有显著变更都记录在 [CHANGELOG.md](https://github.com/tact-lang/tact/blob/main/CHANGELOG.md) 中。
+主 Tact 代码库的所有显著变更都记录在 [CHANGELOG.md](https://github.com/tact-lang/tact/blob/main/dev-docs/CHANGELOG.md) 中。