Homecryptocurrency News

Hacker exploits platform bug to syphon $23M from Transit Swap, returns 70% of loot a day later

Hacker exploits platform bug to syphon $23M from Transit Swap, returns 70% of loot a day later

Hacker exploits platform bug to syphon $23M from Transit Swap, returns 70% of loot a day later
Read Time
3 Min(s) Read
Profile image

By CNBCTV18.com Oct 3, 2022 11:55:47 AM IST (Published)

"After a self-review by the TransitFinance team, it was confirmed that the incident was caused by a hacker attack due to a bug in the code. We are deeply sorry," read Transit Swap's announcement on Twitter.

On Saturday, Transit Swap became the latest platform to fall victim to crypto scammers. The decentralised exchange (DEX) lost nearly $23 million after a hacker was able to exploit an internal bug and disappear with user funds. After the attack was discovered, Transit Swap apologised to its users and shed light on its efforts to nab the culprit behind the hack.

Recommended Articles

View All

"After a self-review by the TransitFinance team, it was confirmed that the incident was caused by a hacker attack due to a bug in the code. We are deeply sorry," read Transit Swap's announcement on Twitter. “Security companies are tracking the relevant data on-chain, and we will make further announcements about this event later,” it added.
However, in a surprising turn of events, the hacker returned most of the stolen funds less than 24 hours after committing the attack. It seems the hacker was forced to give up his loot after the Transit Finance team and several security companies ascertained plenty of the attacker's details.
Just as the hack was discovered, security teams from SlowMist, Bitrace, and Peckshield began to track the culprit. Within hours, they were able to unearth several vital details about the attack, including the hacker's IP address, email ID, and other on-chain addresses.
The prompt efforts seem to have paid off, with Transit Swap announcing that the hacker had returned 70 percent of the stolen assets, which translates to roughly $16.2 million. The returned loot majorly consisted of ETH, Binance-pegged ETH and BNB. The team also said it would work on recovering the remaining funds in the coming days.
"At present, the security companies and project teams of all parties are still continuing to track the hacking incident and communicate with the hacker through email and on-chain methods. The team will continue to work hard to recover more assets," the company said in another tweet.
SlowMist, one of the cybersecurity firms involved in tracking down and recovering the stolen funds, revealed that a vulnerability in Transit Swap's smart contract code allowed tokens to be transferred directly to the exploiter's address.
"The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during the token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap."
A staggering $1.9 billion worth of cryptocurrency has been stolen through various exploits in the first seven months of this year. That equates to a 60 percent increase from the same period last year, according to a Chainalysis report. Fortunately for Transit Swap, security teams could recover most of the stolen funds and get to the root of the vulnerability. Efforts can now be made to sure-up security on the platform and reduce the chances of repeat incidents.
Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!