link.png

ID:

transit-swap-1185

Date:

Status:

Incident Count:

October 2, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

21,000,000

info.png

Recovered:

14,700,000

Rewards:

Ticker:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum, Binance Smart Chain

Protocol

Dexes

Contract Vulnerabilities

Extended Method:

Does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls.

info.png

Days in Operation:

458

(1.25 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Transit Swap integrates the most popular DEXs of public chains, selects and combines their advantages intelligently to provide better depth for your transactions and return more target tokens. Transit Swap reported that it has been attacked by hackers.

The hacker has transferred 2,500 BNB to Tornado Cash, and the remaining funds are kept in the hacker’s addresses. The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.

Then it got more interesting. According to SlowMist, Transit Swap hacker was then front-run by an arbitrage bot when he transferred BUSD assets from the user on the BSC chain, block height 21816885, and made a profit of 1.07 million $BUSD.

With the joint efforts of all parties with threats of doxing with IP and email, the hacker has returned about 70% of the stolen assets to the following two addresses:

Ethereum: 0xfab745c5ee6c59c09605a40464232930892ba48c
BNB Smart Chain: 0xfab745c5ee6c59c09605a40464232930892ba48c

All together 4 exploiters were involved (separately). The original exploiter has agreed to return 10,000 BNB and retain 2500 BNB as bounty. No action on remaining exploiters.

Hacker#3 (Hacker-imitator) - $23,758
Hacker#6 (Hacker-imitator) - 640 ETH
Hacker#7 (Arbitrager)

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.