A hacker steals $23 million by taking advantage of a transit swap.Here’s Everything You Need to Know
Transit Swap, a decentralized exchange (DEX) aggregator, has lost $23 million in a cyberattack before receiving $16.1 million back.
A new day, a new hack involving decentralized finance (DeFi). This time, Transit Swap was the intended victim. On Sunday, Transit Swap acknowledged that a hacker had successfully taken advantage of "a fault in the code."
According to the crypto security company SlowMist,
The amount of the stolen monies was estimated by the "team to be over $23 million" after analysis.
Notably, during a transfer, an arbitrage bot appears to have outrun the hacker. Computer programs called arbitrage bots conduct trades based on market data. A front-running bot, on the other hand, can scan pending transactions in milliseconds and pay higher gas prices to have their transactions processed first by miners.
1/4 Transit Swap hacker was front-run by an arbitrage bot when he transferred BUSD assets from the user on the BSC chain, block height 21816885, and made a profit of 1.07 million $BUSD
— SlowMist (@SlowMist_Team) October 2, 2022
Transit Swap was able to swiftly compile information on the hacker, according to the DEX aggregator team, owing to a number of security teams, including SlowMist, PeckShield, Bitrace, and TokenPocket.
They stated in a tweet,
"We currently possess a wealth of reliable information, including the hacker's IP address, email address, and related on-chain addresses. We'll do everything we can to find the hacker, get in touch with him or her, and aid everyone in making up for their losses."
The team promised to provide further information about the incident "as soon as feasible."
However, SlowMist said in their paper that the Transit Swap protocol "does not strictly check the data sent in by the user during token swap, which leads to the issue of arbitrary external calls," which is the fundamental source of the attack.
The tokens that the user had allowed for Transit Swap were stolen by the attacker by using this arbitrary external call flaw.
70% of the money was reimbursed
The hacker has restored roughly 70% of the stolen assets to two locations on Ethereum (ETH) and BNB Smart Cain, according to Transit Swap, just hours after the theft was disclosed by the company.
In light of this, the group chose to transfer the money.
3/5 In order to ensure the safety of the assets, we will transfer it to a new address on both Ethereum and BSC: 0xD989f7B4320c6e69ceA3d914444c19AB67D3a35E
— Transit Swap | Transit Buy | NFT (@TransitFinance) October 2, 2022
According to the $23 million figure provided by SlowMist, the hacker has repaid about $16.1 million.
EtherScan and BscScan, which indicate that millions in ETH and BNB had been taken, appear to confirm these sums.
Will the users receive payment?
No compensation plan has been shared so far, but the team claimed that they are working to "formulate a specific return plan."
According to Transit Swap's most recent update as of the time of writing, security firms and project teams are still monitoring the incident and corresponding with the hacker "through email and on-chain methods."
They continued by saying they will "keep working hard to retrieve more assets."
According to the update, the project team is gathering information on the impacted users in order to reimburse them for the monies that were taken.