Transit Swap

Main hacker in Transit Swap exploit agrees to return remaining funds

Under the agreement, more than $2 million would be returned to Transit Swap users.

On Oct. 10, decentralized finance (DeFi) protocol Transit Swap announced that it had reached an agreement with its biggest hacker for the return of funds. Approximately one week prior, a hacker exploited an internal bug on a swap contract within the protocol and caused other individuals to imitate the security breach, leading to a loss of over $23 million in user funds.

However, the main hacker has since returned approximately 70% of exploited funds thanks to the help of security companies such as Peckshield, SlowMist, Bitrace and TokenPocket. They quickly tracked down the hacker by identifying their IP address, email address and associated-on chain addresses.

As per Oct. 10’s agreement, the hacker will return the remaining 10,000 BNB BNB tokens, worth roughly $2.74 million, from the exploit in exchange for relief of all legal liabilities arising from the attack from Transit Swap’s side. In addition, the hacker will keep 2,500 BNB ($685,600) for his “white hat” efforts in uncovering the security vulnerability.

Updates about TransitFinance
A consensus has been reached between the biggest hacker and TransitFinance Official, the hacker will keep 2,500 BNB as a bonus and refund the users’ remaining 10,000 BNB.https://t.co/DOwRw7doYy

— Transit Swap | Transit Buy | NFT (@TransitFinance) October 10, 2022

The Transit Swap team has also set a deadline of Oct. 12 for two hacker-imitators and one hacker-arbitrageur to return the stolen funds. Afterward, developers threatened that “judicial actions” would be taken.

At the beginning of the year, DeFi exploits were largely a low-risk, high-reward endeavor thanks to user anonymity. Recently, the rise of blockchain analytic firms and forensic DeFi firms, coupled with a U.S. ban on crypto-mixer tools such as Tornado Cash, has made it harder for hackers to launder stolen funds. Instead, some have opted to return the funds and keep a portion of the exploited proceeds as a “bounty” for uncovering security vulnerabilities, as with the Nomad bridge hack.

Transit Swap ‘hacker’ returns 70% of $23M in stolen funds

The funds returned so far have come in the form of Ether, Binance-pegged ETH and BNB ($14.2 million).

A quick response from a number of blockchain security companies has helped facilitate the return of around 70% of the $23 million exploit of decentralized exchange (DEX) aggregator Transit Swap.

The DEX aggregator lost the funds after a hacker exploited an internal bug on a swap contract on Oct. 1, leading to a quick response from the Transit Finance team along with security companies Peckshield, SlowMist, Bitrace and TokenPocket, who were able to quickly work out the hacker’s IP, email address and associated-on chain addresses.

It appears these efforts have already borne fruit, as less than 24 hours after the hack, Transit Finance noted that “with joint efforts of all parties,” the hacker has returned 70% of the stolen assets to two addresses, equating to roughly $16.2 million.

These funds came in the form of 3,180 Ether (ETH) at $4.2 million, 1,500 Binance-Peg ETH at $2 million and 50,000 BNB at $14.2 million, according to BscScan and EtherScan.

Updates about TransitFinance
1/5 We are here to update the latest news about TransitFinance Hacking Event. With the joint efforts of all parties, the hacker has returned about 70% of the stolen assets to the following two addresses:

— Transit Swap | Transit Buy | NFT (@TransitFinance) October 2, 2022

In the most recent update, Transit Finance stated that “the project team is rushing to collect the specific data of the stolen users and formulate a specific return plan” but also remains focused on retrieving the final 30% of stolen funds.

At present, the security companies and project teams of all parties are still continuing to track the hacking incident and communicate with the hacker through email and on-chain methods. The team will continue to work hard to recover more assets,” it said.

Cybersecurity firm SlowMist in an analysis of the incident noted that the hacker used a vulnerability in Transit Swap’s smart contract code, which came directly from the transferFrom() function, which essentially allowed users’ tokens to be transferred directly to the exploiter’s address:

“The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.”