"After a self-review by the TransitFinance team, it was confirmed that the incident was caused by a hacker attack due to a bug in the code. We are deeply sorry," read Transit Swap's announcement on Twitter.
On Saturday, Transit Swap became the latest platform to fall victim to crypto scammers. The decentralised exchange (DEX) lost nearly $23 million after a hacker was able to exploit an internal bug and disappear with user funds. After the attack was discovered, Transit Swap apologised to its users and shed light on its efforts to nab the culprit behind the hack.
Recommended ArticlesView All
Decoding multi-year health insurance policy — What is it and what are key benefits?
IST3 Min(s) Read
View | Pakistan Election: Will Imran Khan's changed tack from long march to resignations to snap poll work?
IST5 Min(s) Read
View | G20 Presidency: India can shape global Web3 narrative
IST6 Min(s) Read
"After a self-review by the TransitFinance team, it was confirmed that the incident was caused by a hacker attack due to a bug in the code. We are deeply sorry," read Transit Swap's announcement on Twitter. “Security companies are tracking the relevant data on-chain, and we will make further announcements about this event later,” it added.
However, in a surprising turn of events, the hacker returned most of the stolen funds less than 24 hours after committing the attack. It seems the hacker was forced to give up his loot after the Transit Finance team and several security companies ascertained plenty of the attacker's details.
Also Read: Cryptocurrency prices today: Bitcoin continues to trade below $20,000; Ethereum slips below $1,300
Just as the hack was discovered, security teams from SlowMist, Bitrace, and Peckshield began to track the culprit. Within hours, they were able to unearth several vital details about the attack, including the hacker's IP address, email ID, and other on-chain addresses.
The prompt efforts seem to have paid off, with Transit Swap announcing that the hacker had returned 70 percent of the stolen assets, which translates to roughly $16.2 million. The returned loot majorly consisted of ETH, Binance-pegged ETH and BNB. The team also said it would work on recovering the remaining funds in the coming days.
"At present, the security companies and project teams of all parties are still continuing to track the hacking incident and communicate with the hacker through email and on-chain methods. The team will continue to work hard to recover more assets," the company said in another tweet.
Also Read: XRP up 11% in 24 hours after minor win against SEC, could spike further if this one thing happens
SlowMist, one of the cybersecurity firms involved in tracking down and recovering the stolen funds, revealed that a vulnerability in Transit Swap's smart contract code allowed tokens to be transferred directly to the exploiter's address.
"The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during the token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap."
A staggering $1.9 billion worth of cryptocurrency has been stolen through various exploits in the first seven months of this year. That equates to a 60 percent increase from the same period last year, according to a Chainalysis report. Fortunately for Transit Swap, security teams could recover most of the stolen funds and get to the root of the vulnerability. Efforts can now be made to sure-up security on the platform and reduce the chances of repeat incidents.