Transit Swap Hack 2022 — $69M Exploit Analysis

An arbitrary call vulnerability in Transit Swap's contracts allowed attackers to steal $69M from user wallets.

Details

Full Description

Transit Swap's swap contract contained a function that allowed arbitrary external calls without proper validation. Attackers crafted calls to transfer tokens directly from users who had approved the Transit Swap contract, bypassing the intended swap functionality.

Laundering Analysis

Within 24 hours, the attacker (possibly white hat) returned approximately $64.4M (~70% of funds) after Transit Swap and on-chain investigators identified their IP address. Remaining funds moved through cross-chain bridges. Team offered 5% bounty.

Sources

Transaction Hashes

Related Hacks

Back to Browse