Cross-chain DEX aggregator Transit Swap had a rough weekend after it lost over $21 million of users’ funds to a vulnerability attack.
An unknown hacker launched an attack against TransitSwap’s unverified smart contract on Oct. 1. Users who unknowingly approved their tokens for trading on Transit Swap had all their funds transferred directly to the hacker’s address.
Transit Swap users lost a cumulative $21 million to the vulnerability exploit across the ETH and BSC chain. The hacker lost about $1 million to an arbitrage bot as he moved the stolen funds.
Blockchain security firms SlowMist, PeckShield, and Bitrace, worked closely with the Transit Swap team to track the hacker’s IP, email address, and associated on-chain address. Their joint efforts saw the hacker return over 70% of the stolen funds.
📢📢📢Updates about TransitFinance
1/5 We are here to update the latest news about TransitFinance Hacking Event. With the joint efforts of all parties, the hacker has returned about 70% of the stolen assets to the following two addresses:— Transit Swap | Transit Buy | NFT (@TransitFinance) October 2, 2022
As of press time, the returned funds totaling $16.5 million are held in Transit Swap’s ETH & BSC addresses. About 3180 ETH ($4.2 million), 1500 B-ETH ($2 million), and $10.4 million worth of BNB have been returned. However, $3,5 million in stolen BNB is still held in the exploiter’s BSC address.
The hacker reportedly moved 2,500 BNB (worth $715,000) into mixing protocol Tornado Cash and attempted to withdraw the funds through the LATOKEN crypto exchange.
TransitSwap hacker moved some stolen funds to Tornado Cash and said: I only exploited eth and bsc. If I attack other chains, I can get $100m. I should get a higher bounty than what I get now. It’s hard not to suspect that this is your official backdoor. https://t.co/GNgDyG1FJD https://t.co/LxyUQOGXQg
— Wu Blockchain (@WuBlockchain) October 3, 2022
The Transit Swap team has updated that they are still working to recover more stolen funds and will soon reach out to users about the fund return process.
Source: https://cryptoslate.com/transit-swap-hacker-returns-16-5m-of-stolen-funds/