An arbitrary call vulnerability in Transit Swap's contracts allowed attackers to steal $69M from user wallets.
Transit Swap's swap contract contained a function that allowed arbitrary external calls without proper validation. Attackers crafted calls to transfer tokens directly from users who had approved the Transit Swap contract, bypassing the intended swap functionality.
Within 24 hours, the attacker (possibly white hat) returned approximately $64.4M (~70% of funds) after Transit Swap and on-chain investigators identified their IP address. Remaining funds moved through cross-chain bridges. Team offered 5% bounty.
0x181a7882aac0eab1036eedba25bc95a16e9e58b1d56e10d0f4d1d5a16f0c4c0