Hacker Steals $29M From Transit Finance, Returns $19MThief Retains $2M as 'Bug Bounty,' Loses $1M to Bot Attack
A hacker stole $28.9 million by exploiting a bug in decentralized exchange aggregator Transit Finance on Sunday. Within two days of the theft, the thief returned nearly $18.9 million, keeping a $2 million "bug bounty."
The company halted its cross-chain digital asset swapping services and suspended the faulty contract but has not yet issued a fix for the bug.
Transit Finance's internal security team and blockchain security firms PeckShield, SlowMist, Bitrace and TokenPocket helped uncover the attacker's IP, email and associated on-chain addresses over the weekend, the victim company said in a series of tweets on Sunday.
"The incident is still being progressed and resolved, and we will continue to communicate and try our best to recover more assets for users," it added in a Monday update.
The incident affected a "large number of users" who will be refunded "as soon as possible," the company said, without providing specific numbers.
The attacker also became the victim of a cyberattack, with an arbitrage bot stealing $1.1 million when the attacker illegally transferred stolen funds from a user account, SlowMist says.
The hacker sent 10,000 Binance coins, currently worth about $2 million, to Department of Treasury-sanctioned cryptocurrency mixer Tornado Cash as a "bug bounty," according to blockchain security firm CertiK. The hacker claims they could have exploited the crypto platform for $100 million, the firm says.
In an effort to get back the stolen assets and "avoid escalating the situation," Transit Finance says it is formulating bug bounty rules to incentivize hackers, white hat or otherwise, who drain funds.
PeckShield, which is part of the investigation team, tracked the flow of the stolen funds here:
Here comes the flow of stolen assets w/ the cost of ~$21M. @0xTransition Note the hacker may have performed earlier withdrawals from known exchanges. https://t.co/cZhQk2fotf pic.twitter.com/eGGFiD0LIW— PeckShield Inc. (@peckshield) October 2, 2022
The hacker exploited a composability issue or misplaced trust on the platform's swap contract to steal the funds, says PeckShield. SlowMist shared a detailed analysis of the hack process. Essentially, the attacker exploited a bug, which allowed arbitrary external calls, to steal tokens that the platform's users approved for swap.
Transit Finance's smart contracts are unverified, says CertiK. The project's GitHub does not share its code either, it says, making it tough for white hats to scan for potential vulnerabilities. Transit Finance reportedly says its aggregator contract was audited by PeckShield, but the latter, in a Telegram message, says the contract containing the exploited bug was not part of its audit.