Transit Swap Exploit - October 2, 2022
What Happened
Transit Swap, a cross-chain DEX aggregator protocol, suffered a security breach resulting in $21M in losses. An unknown attacker exploited a vulnerability in the protocol's smart contracts to drain user wallets. However, over 70% of the stolen funds were subsequently returned after the attacker's anonymity was compromised through investigation by multiple security teams.
Technical Root Cause
The vulnerability centered on a flawed implementation of the
transferFrom() function. As security researchers noted: *"the claimTokens function calls the transferFrom function of an address, and the address and function parameters are controllable."*The decompiled code revealed that variables controlling the token address, sender, recipient, and amount parameters in the external
transferFrom() call (function signature 0x23b872dd) were not properly validated, allowing arbitrary token transfers from user wallets.Attack Vector/Exploit Steps
1. Attacker identified users with active token approvals for Transit Swap contracts
2. Invoked vulnerable
claimTokens function with manipulated parameters3. Executed direct token transfers from victim wallets to attacker's address via unvalidated
transferFrom() calls4. Converted stolen tokens to ETH and BNB within ~30 minutes
5. Transferred portion of proceeds to Tornado Cash for obfuscation
First attack transaction (UTC ~18:30):
0xba75ad7a43e784f51fe777d749fc55ae10f1df2bcb01cde97641613b19acb6ecAttacker address:
0x75f2aba6a44580d7be2c4e42885d4a1917bffd46 (ETH & BSC)Vulnerable contract:
0xed1afc8c4604958c2f38a3408fa63b32e737c428Financial Impact
| Asset | Amount | Status |
|---|---|---|
| ETH | 3,180 ($4.2M) | Returned |
| Binance-pegged ETH | 1,500 ($2M) | Returned |
| BNB | 50,000 ($14M) | $10.4M returned |
| Remaining stolen | ~$3.5M+ BNB | Held in exploiter's wallet |
| Funds sent to Tornado Cash | 2,500 BNB ($715k) | Not recovered |
Returned funds consolidated at:
0xD989f7B4320c6e69ceA3d914444c19AB67D3a35E (~$16.5M total)Remediation
• Protocol paused affected swap contracts immediately
• No remediation details provided in article regarding contract fixes
• Investigation and collaboration between SlowMist, Bitrace, and Peckshield security teams identified attacker's IP, email, and on-chain addresses
• Attacker voluntarily returned majority of funds, likely due to exposure risk
Critical Issue
The protocol used unverified, closed-source smart contracts, preventing transparent security audits and whitehats' ability to identify vulnerabilities preemptively.