On October 1, a hacker exploited an internal bug in a swap contract, leading the DEX aggregator to lose $23M in funds. However, the quick reaction from the community helps to recover 70% of the stolen funds.
Aggregator, has been recovered thanks to a quick response from plenty of blockchain security firms.
On October 1, a hacker exploited an internal bug in a swap contract, leading the DEX aggregator to lose $23 million in funds. It prompts a quick response from the Transit Finance team, as well as security firms Peckshield, SlowMist, Bitrace, and TokenPocket. This help the firm to immediately determine the hacker's IP, email address, and associated-on chain addresses.
These efforts appear to have already paid off, as Transit Finance stated that "with the combined efforts of all stakeholders," the hacker had returned 70% of the stolen funds in less than 24 hours. The hacker transferred the stolen funds to two addresses, totaling around $16.2 million.
According to reports, these funds came in the form of 3,180 ETH worth $4.2 million, 1,500 BNB-Peg ETH worth $2 million, and 50,000 BNB worth $14.2 million.
As per the most recent update, the project team is scrambling to collect the personal data of the users and formulate a detailed return strategy. However, the focus is also set on recovering the remaining 30% of stolen funds.
At present, the security companies and project teams from all stakeholders are still tracking the hacking incident and communicating with the hacker via email and on-chain methods. According to the statement, the team will continue to work diligently to recover additional assets.
An investigation by a cybersecurity firm found that the hacker exploited a flaw in Transit Swap's smart contract code, which came directly from the transferFrom() method. This effectively allowed users' tokens to be transferred straight to the exploiter's address.
COINGABBAR VIEWS: The root cause of this attack is that the Transit Swap protocol does not carefully validate the data passed in by the user during the token swap, which results in the issue of arbitrary external calls. The attacker took advantage of the arbitrary external call vulnerability to steal the tokens allowed by the user for Transit Swap.
Read also: Celsius CEO Withdrew $10 Million Ahead of Bankruptcy
