Transit Swap integrates the most popular DEXs of public chains, selects and combines their advantages intelligently to provide better depth for your transactions and return more target tokens. Transit Swap reported that it has been attacked by hackers.

The hacker has transferred 2,500 BNB to Tornado Cash, and the remaining funds are kept in the hacker’s addresses. The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.

Then it got more interesting. According to SlowMist, Transit Swap hacker was then front-run by an arbitrage bot when he transferred BUSD assets from the user on the BSC chain, block height 21816885, and made a profit of 1.07 million $BUSD.

With the joint efforts of all parties with threats of doxing with IP and email, the hacker has returned about 70% of the stolen assets to the following two addresses:

Ethereum: 0xfab745c5ee6c59c09605a40464232930892ba48c
BNB Smart Chain: 0xfab745c5ee6c59c09605a40464232930892ba48c

All together 4 exploiters were involved (separately). The original exploiter has agreed to return 10,000 BNB and retain 2500 BNB as bounty. No action on remaining exploiters.

Hacker#3 (Hacker-imitator) - $23,758
Hacker#6 (Hacker-imitator) - 640 ETH
Hacker#7 (Arbitrager)