Transit Finance, the multichain decentralized exchange (DEX) aggregator, has announced the terms of an agreement with the hacker who siphoned approximately $23 million from the DEX on October 2nd.
The hacker had exploited an internal bug on a swap contract within the protocol, causing individuals to imitate the security breach, and leading to the loss of more than $21 million in user funds.
🚨 🚨 🚨 It seems there is a composability issue with or misplaced trust on the swap contract of @TransitFinance that just results in the loss of >$15M. The stolen funds are located at: https://t.co/NRwWJncFpl pic.twitter.com/j8mgySbRRF
— PeckShield Inc. (@peckshield) October 1, 2022
Returning a Massive Chunk of the Funds
According to the terms of the agreement, the hacker, who goes by “white hat #1”, will refund 10,000 BNB to users. The return is expected take place in two phases—6,500 BNB on October 11th, and a further 3,500 BNB during the second phase. As a bounty for exposing the issue, white hat #1 will be allowed to retain 2,500 BNB.
On-chain data reveals that the hacker has already transferred the 2,500 BNB token bounty to privacy protocol Tornado Cash.
“TransitFinance Official expresses its gratitude to white hat #1 for the refund and promises that if white hat #1 returns the remaining 3500 BNB as agreed, TransitFinance Official will no longer hold him any legal responsibility,” Transit Finance stated in a Medium blog.
The deal with white hat #1 will add to the $15 million recovered on October 2nd after security firms Peckshield, SlowMist, Bitrace, and TokenPocket were able to track the hacker’s IP address.
📢📢📢Updates about TransitFinance
— Transit Swap | Transit Buy | NFT (@TransitFinance) October 2, 2022
1/5 We are here to update the latest news about TransitFinance Hacking Event. With the joint efforts of all parties, the hacker has returned about 70% of the stolen assets to the following two addresses:
The Transit Finance team has also called upon other exploiters, imitators #3, #6, and arbitrageurs #7, to contact them and return the rest of the users’ assets “as soon as possible.” According to the announcement, those who fail to fully refund the stolen funds will be subject to the judicial process after October 12th, 2022.
Hacks Plague the DeFi Space
In 2022, DeFi, a market in which lending, trading, and other financial activities can be conducted without the intervention of traditional middlemen, has been plagued with hacks of all kinds.
So far this year, hackers have stolen more than $2.32 billion from the industry in over 135 exploits, according to blockchain security firm PeckShield. The figure is 50% larger than that recorded in 2021.
The most high profile theft this year came in the form of the Ronin Network exploits, which saw more than $625 million siphoned from the platfrom in ETH and USDC. Meanwhile, the recent BNB Chain incident resulted in the loss of more than $100 million.
It is estimated that approximately 50% of the money stolen from these protocols, worth around $1.16 billion, was exchanged through Tornado Cash, an Ethereum-based, privacy-focused cryptocurrency mixer that was sanctioned by the U.S. government in August. Only a small percentage of these lost funds have been retrieved.
According to recent reports from PeckShield, the Transit Swap hacker has already returned 6,500 of the promised 10,000 BNB tokens.
On the Flipside
- While the DeFi space has been subjected to losses of $2.34 billion due to attacks and exploits, bridge hacks alone contribute to $2 billion of this.
Why You Should Care
DeFi hacks are on the rise, with this year’s hacks exceeding the previous year’s by 50%. Many are calling for DeFi platforms to take more robust steps to safeguard user funds as an immediate priority.
You may be interested to read about other recent DeFi hacks:
BNB Chain Re-Activates From Shutdown Following ‘Potential Exploit’ of $100 Million
Wormhole Suffers Second-Biggest Hack in DeFi, $320 Million in wETH Stolen
