I could get $100M if I attacked other chains: TransitSwap Hacker

Sahana Kiran
Bitfinex
Source – Pixabay

Hacks have become increasingly common in the crypto-verse. While earlier exploits were limited to stealing funds, hackers these days have been on a roll to alert projects of their vulnerabilities. An array of compromised firms over the last couple of months have managed to retrieve funds, however, the uncertainty of being attacked remains. TransitSwap, a decentralized exchange aggregator was recently drained of about $23 million. While the platform managed to recover 70 percent of the funds, the hacker had a rather distressing message for the platform.

The hacker exploited an internal bug on a swap contract. However, the hacker was soon traced as his IP, email address, and associated-on chain addresses were garnered. Following the efforts of several “parties”, the hacker returned about $16.2 million.

It should be noted that funds were recovered in Ether, Binance-Peg ETH as well as Binance Coin [BNB]. 30 percent of the funds are still with the hacker. While it was brought to light that some of the stolen funds were moved to Tornado Cash, the hacker reportedly stated,

“I only exploited ETH and BSC. If I attack other chains, I can get $100m. I should get a higher bounty than what I get now. It’s hard not to suspect that this is your official backdoor.”

While the return of the funds came as a relief to the platform’s distressed users, the latest message caused chaos.

SlowMist breaks down Transit Swap’s recent attack

In a study of the issue, cybersecurity company SlowMist reported that the hacker had taken use of a vulnerability in the Transit Swap smart contract code that originated from the transfer from() function, effectively allowing users’ tokens to be sent straight to the exploiter’s address.

Elaborating on the same, the platform wrote,

“The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.”