Another Exploit in the Books - This Time it's Transit Swap, But Some Already Recovered

By kev_nag | kev_nag | 2 Oct 2022

“Transit Swap, a multi-chain decentralized exchange (DEX) aggregator, lost roughly $21 million after a hacker exploited an internal bug on a swap contract” [Sarkar, A. Transit Swap loses over $21M due to code bug exploit, issues apology. (Accessed October 2, 2022)].

"The multi-chain DEX announced this on Twitter while also apologizing for the exploit. ‘After a self-review by the TransitFinance team, it was confirmed that the incident was caused by a hacker attack due to a bug in the code. We are deeply sorry,’ it said [Adejumo, O. Hacker Exploits $21M Vulnerability in Transit Swap. (Accessed October 2, 2022)].

20221002 2.png
Photo Source

“Blockchain investigator Peckshield narrowed down the attack to a compatibility issue or misplaced trust in the swap contract” [Sarkar, supra]. Peckshield has shared it’s flowchart depicting movement of the stolen Transit Swap assets as follows:

Photo Source

In it’s announcement Transit Swap pledged:

We now have a lot of valid information such as the hacker’s IP, email address, and associated on-chain addresses. We will try our best to track the hacker and try to communicate with the hacker and help everyone recover their losses.

[Transit Swap. Tweet. (Accessed October 2, 2022)].

Their “[…] effort appears successful because the latest update from Transit Finance confirmed that the hacker had returned 70% of the funds to two addresses. But efforts remain underway to recover the remainder of the funds. According to SlowMist, an arbitrage bot front-run the hacker as they transferred BUSD assets from the user on the BSC chain and made 1.07 million BUSD in profit” [Adejumo, supra].

20221002 2.png
20221002 4.png

Photo Swap

However, it appears that not everyone is happy with the 70% recovery. Twitter user @degenwisdom69 tweeted: “Regardless, you should cover the 30% if he doesn’t return any more. This should never of happened” [@degenwisdom69Tweet. (Accessed October 2, 2022)].

“Reciprocating the updated security measures implemented by crypto businesses, hackers continue to evolve their methods to dupe investors. Recently, a hacker used an Ethereum (ETH) arbitrage trading bot to exploit a “bad code” vulnerability for draining 1,101 ETH, which was around $1.41 million at the time of writing” [Sarkar, supra].

20221002 7.png
Photo Source

How do you rate this article?



Just an ordinary casual crypto investor.


Retired, finally. I enjoy learning about crypto and sharing my discoveries. Also, I follow the News closely and enjoy discussing current events. I have no political agenda, but advance views based in reality with a slant toward real world consequences.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.