October 11th, 2022
In October 2022, the Transit Swap cross-chain DEX aggregator was the victim of an attack. By taking advantage of a vulnerability in the unverified contract code, the attacker was able to steal an estimated $21 million from the wallet of the protocol’s users.
The root cause of the Transit Swap hack was a lack of input validation for critical parameters within the contract’s claimTokens function. When transferring tokens on Ethereum, the token’s contract is called with the source and destination addresses and the amount to transfer.
In this case, these values were provided by the user, and the contract did not properly validate them before making an external call. As a result, the attacker was able to specify the token contract address whose transferFrom function would be executed as well as the function parameters.
To use Transit Swap, users must create approvals that permit its permissions management contract to withdraw tokens from their wallets. These existing approvals, combined with the vulnerability in Transit Swap’s claimTokens function, allowed the attacker to drain approximately $21 million in tokens from users’ wallets.
The Transit Swap wallet contract is an unverified contract, meaning that the source code is not publicly available. This makes it more difficult to review the contract code for the types of security errors exploited in this attack.
However, this reliance on security via obscurity obviously does not prevent attackers from identifying and exploiting these vulnerabilities. Making code public builds trust in a contract and could have allowed white-hat hackers to identify and report the flaws before they were exploited.
In this case, the attacker relented and returned over 70% of the stolen assets, but the next project may not be so lucky. To learn how to better protect your project against DeFi hackers, reach out to Halborn’s security experts at email@example.com.