Transit swap ‘hacker’ returns 70% of $23M in stolen funds

Cointelegraph Team Cointelegraph

A quick response from a number of blockchain security companies has helped facilitate the return of around 70% of the $23 million exploit of decentralized exchange (DEX) aggregator Transit Swap.

The DEX aggregator lost the funds after a hacker exploited an internal bug on a swap contract on Oct. 1, leading to a quick response from the Transit Finance team along with security companies Peckshield, SlowMist, Bitrace and TokenPocket, who were able to quickly work out the hacker’s IP, email address and associated-on chain addresses.

It appears these efforts have already borne fruit, as less than 24 hours after the hack, Transit Finance noted that “with joint efforts of all parties,” the hacker has returned 70% of the stolen assets to two addresses, equating to roughly $16.2 million.

These funds came in the form of 3,180 Ether (ETH) at $4.2 million, 1,500 Binance-Peg ETH at $2 million and 50,000 BNB at $14.2 million, according to BscScan and EtherScan.

In the most recent update, Transit Finance stated that “the project team is rushing to collect the specific data of the stolen users and formulate a specific return plan” but also remains focused on retrieving the final 30% of stolen funds.

At present, the security companies and project teams of all parties are still continuing to track the hacking incident and communicate with the hacker through email and on-chain methods. The team will continue to work hard to recover more assets," it said.

Cybersecurity firm SlowMist in an analysis of the incident noted that the hacker used a vulnerability in Transit Swap’s smart contract code, which came directly from the transferFrom() function, which essentially allowed users' tokens to be transferred directly to the exploiter's address:

The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.

Author

Cointelegraph Team

Cointelegraph

We are privileged enough to work with the best and brightest in Bitcoin.

Aave Price Forecast: AAVE surges as capital flows return to DeFi

Aave (AAVE) extends its rally, trading above $81 on Thursday after closing above its key resistance and surging more than 10% the previous day. The bullish move is supported by improving on-chain metrics, with USDT deposits flowing back into the protocol and strengthening its lending ecosystem.

Crypto Market Overview: Bitcoin tests $60,000 as whales sell off – Aave and Jupiter show resilience

The broader cryptocurrency market remains under intense selling pressure, with Bitcoin back at $60,000 for the third time this year. On-chain data shows selling pressure from large-wallet investors, commonly referred to as whales, while total liquidations hit nearly $1 billion in 24 hours.

XRP Price Forecast: Ripple and SBI Group partner to launch RLUSD in Japan

Ripple remains under pressure, trading at $1.06 after losing nearly 5% so far this week. Ripple and SBI Group partnered to launch RLUSD stablecoin in Japan following approval from the Japan Financial Services Agency on Thursday, but the move failed to lift sentiment.

Ethereum Price Forecast: ETH could see a 30% decline if history repeats

Ethereum (ETH) has fallen toward the $1,600 level, down over 3% on Wednesday as risk-off signs persist across key onchain metrics. The ETH Realized Price Lower Band, which has historically marked bear market bottoms for the top altcoin, suggests ETH has room for further downside before staging a proper upward move.

Bitcoin: Recovery hopes fade after the Fed spoils the party

Bitcoin (BTC) is set to end the week in the red, trading near the 200-Week Simple Moving Average (SMA) at around $62,300 on Friday. Institutional selling persists, capping BTC’s recovery as spot Exchange Traded Funds (ETFs) point to a sixth consecutive week of outflows.