The DEX aggregator lost the funds after a hacker exploited an internal bug on a swap contract on Oct. 1, leading to a quick response from the Transit Finance team along with security companies Peckshield, SlowMist, Bitrace and TokenPocket, who were able to quickly work out the hacker’s IP, email address and associated-on chain addresses.
It appears these efforts have already borne fruit, as less than 24 hours after the hack, Transit Finance noted that “with joint efforts of all parties,” the hacker has returned 70% of the stolen assets to two addresses, equating to roughly $16.2 million.
In the most recent update, Transit Finance stated that “the project team is rushing to collect the specific data of the stolen users and formulate a specific return plan” but also remains focused on retrieving the final 30% of stolen funds.
At present, the security companies and project teams of all parties are still continuing to track the hacking incident and communicate with the hacker through email and on-chain methods. The team will continue to work hard to recover more assets," it said.
Cybersecurity firm SlowMist in an analysis of the incident noted that the hacker used a vulnerability in Transit Swap’s smart contract code, which came directly from the transferFrom() function, which essentially allowed users' tokens to be transferred directly to the exploiter's address:
“The root cause of this attack is that the Transit Swap protocol does not strictly check the data passed in by the user during token swap, which leads to the issue of arbitrary external calls. The attacker exploited this arbitrary external call issue to steal the tokens approved by the user for Transit Swap.”