Transit Swap ‘hacker’ returns 70% of $23M in stolen funds

A quick response from a number of blockchain security companies has helped facilitate the return of around 70% of the $23 million exploit of decentralized exchange (DEX) aggregator Transit Swap.

The DEX aggregator lost the funds after a hacker exploited an internal bug on a swap contract on Oct. 1, leading to a quick response from Transit Finance team along with security companies Peckshield, SlowMist, Bitrace and TokenPocket, who were able to quickly work out the hacker’s IP, email address and associated-on chain addresses.

It appears these efforts have already born fruit, as less than 24 hours after the hack, Transit Finance noted that “with joint efforts of all parties” the hacker has returned 70% of the stolen assets to two addresses, equating to roughly $16.2 million.

These funds came in the form of 3,180 Ether (ETH) ($4.2 million), 1,500 Binance-Peg ETH and ($2 million) and 50,000 BNB ($14.2 million), according to BscScan and EtherScan.

Updates about TransitFinance1/5 We are here to update the latest news about TransitFinance Hacking Event. With the joint efforts of all parties, the hacker has returned about 70% of the stolen assets to the following two addresses:

— Transit Swap | Transit Buy | NFT (@TransitFinance) October 2, 2022

In the most recent update, Transit Finance stated that “the project team is rushing to collect the specific data of the stolen users and formulate a specific return plan” but also remains focused on retrieving the final 30% of stolen funds.

At present, the security companies and project teams of all parties are still continuing to track the hacking incident and communicate with the hacker through email and on-chain methods. The team will continue to work hard to recover more assets,” it said. 

Related: $160M stolen from crypto market maker Wintermute

Cybersecurity firm SlowMist in an analysis of the incident noted that the hacker used a vulnerability in Transit Swap’s smart contract code, which came directly from the transferFrom() function, which essentially allowed users’ tokens to be transferred directly to the exploiter’s address. 

“The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.”