Open in app

Sign in

Write

Sign in

Transit Swap Hack Analysis

Numen Cyber Labs
Numen Cyber Labs
Published in
3 min readOct 2, 2022

Event Summary

On October 2, Numen Cyber Labs monitored on-chain data and found that Transit Swap, a cross-chain trading platform aggregator supported by TokenPocket, was hacked. It caused huge losses. Currently the hacker address 0x75F2abA6a44580D7be2C4e42885D4a1917bFFD46 has 3180 ETH worth $4,161,559 on the Ethereum chain, 49,612 BNB on the BSC Chain chain, worth $14,011,105 and some other tokens. The attack loss is close to $21 million.

Attack Analysis

The attack took place at the BSC. When a user exchanges with Transit Swap, there will be an entry contract(0x8785bb8deae13783b24d7afe250d42ea7d7e9d72). This entry contract will select the path according to the type of token. Finally, the contract 0x0B47275E0Fe7D5054373778960c99FD24F59ff52 will call the claimtokens of the contract 0xed1afc8c4604958c2f38a3408fa63b32e737c428 to transfer.

As shown in above figure, the first few calls are checking the balance and checking whether the specified contract has permission to call transferfrom.

Start by calling the contract 0x8785bb8deae13783b24d7afe250d42ea7d7e9d72, which is equivalent to the entry of flash swap, and then call the callBytes(bytes) function of 0x0b47275e0fe7d5054373778960c99fd24f59ff52, the data in this place is already malicious data. Then call getFeeRate(address, uint256, uint256, string) of the contract 0x75fa557bb38daa465f06f5e605e46abe0d5ce9ec to check the rate. Finally, call the claimTokens(address, address, address, uint256) of the 0xed1afc8c4604958c2f38a3408fa63b32e737c428 contract. This function first authorizes 0xed1afc8c4604958c2f38a3408fa63b32e737c428, and then calls the transfer (there should be different branches inside the function). Below figure is shown authorizing calldata :

Looking at the call stack, transferfrom spender is already 0xed1afc8c4604958c2f38a3408fa63b32e737c428, and it has permission to call transferfrom to transfer money to the hacker address.

Reference TX: 0x181a7882aac0eab1036eedba25bc95a16e10f61b5df2e99d240a16c334b9b189

At Last

In the Erc20 protocol, approve authorization has always been a problem. There have been many security incidents related to it. At the same time, when calling functions across contracts, the data that is transparently transmitted to the lower layer through the upper layer call needs to be careful. First of all, the return value given by the lower layer to the upper layer must be untrusted, and it needs to be verified correctly. In the bear market, hacking incidents occur frequently, and users need to pay more attention.

At present, Transit Swap has suspended all contract trading functions and is trying to track the hacker information, hoping to recover the losses of this attack. Numen Cyber Labs suggests using Transit Swap to go to revoke.cash to cancel the contract authorization and withdraw your funds.

Latest news before deadline, Transit Swap attackers have returned about 70% of stolen assets

--

--

Numen Cyber Labs
Numen Cyber Labs

Written by Numen Cyber Labs

645 Followers
Editor for

Numen Cyber Technology is a Cybersecurity vendor and solution provider based in Singapore.We dedicate ourselves in Web3 Security and Threat Detection & Response

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams