Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Hacker Steals $29M From Transit Finance, Returns $19M

Thief Retains $2M as 'Bug Bounty,' Loses $1M to Bot Attack
Hacker Steals $29M From Transit Finance, Returns $19M

A hacker stole $28.9 million by exploiting a bug in decentralized exchange aggregator Transit Finance on Sunday. Within two days of the theft, the thief returned nearly $18.9 million, keeping a $2 million "bug bounty."

See Also: Revolutionizing Cross-Border Transactions with Permissioned DeFi

The company halted its cross-chain digital asset swapping services and suspended the faulty contract but has not yet issued a fix for the bug.

Transit Finance's internal security team and blockchain security firms PeckShield, SlowMist, Bitrace and TokenPocket helped uncover the attacker's IP, email and associated on-chain addresses over the weekend, the victim company said in a series of tweets on Sunday.

"The incident is still being progressed and resolved, and we will continue to communicate and try our best to recover more assets for users," it added in a Monday update.

The incident affected a "large number of users" who will be refunded "as soon as possible," the company said, without providing specific numbers.

The attacker also became the victim of a cyberattack, with an arbitrage bot stealing $1.1 million when the attacker illegally transferred stolen funds from a user account, SlowMist says.

Bounty Plans

The hacker sent 10,000 Binance coins, currently worth about $2 million, to Department of Treasury-sanctioned cryptocurrency mixer Tornado Cash as a "bug bounty," according to blockchain security firm CertiK. The hacker claims they could have exploited the crypto platform for $100 million, the firm says.

In an effort to get back the stolen assets and "avoid escalating the situation," Transit Finance says it is formulating bug bounty rules to incentivize hackers, white hat or otherwise, who drain funds.

PeckShield, which is part of the investigation team, tracked the flow of the stolen funds here:

Vulnerability Details

The hacker exploited a composability issue or misplaced trust on the platform's swap contract to steal the funds, says PeckShield. SlowMist shared a detailed analysis of the hack process. Essentially, the attacker exploited a bug, which allowed arbitrary external calls, to steal tokens that the platform's users approved for swap.

Transit Finance's smart contracts are unverified, says CertiK. The project's GitHub does not share its code either, it says, making it tough for white hats to scan for potential vulnerabilities. Transit Finance reportedly says its aggregator contract was audited by PeckShield, but the latter, in a Telegram message, says the contract containing the exploited bug was not part of its audit.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.