Full Report
Transit Swap is a cross-chain exchange. It allows for aggregating all of the tokens you owe between the different platforms. When performing a swap, there is a routing contract. Depending on the chain being used, a different contract is called. The routing bridge contract will is where the bug is at. The function claimTokens is used to transfer tokens redeemed by the user to the routing bridge and eventually to the user. This is done by invoking the transferFrom ERC20 call on the specified token contract. The vulnerability is that the user controls all of the parameters provided into the transferFrom() call from the router contract. In particular, they control the users from, to and amount. Additionally, users have to permit the contract to use the funds. Hence, with this control, they can make arbitrary calls to steal funds from all of the users. The vulnerability occurs because there is no input validation on data passed during the token exchange. This is a classic confused deputy problem! A trusted entity is making the call but the input coming in abuses this trust. The exploit led to $23 million in funds being stolen. The pattern for the router making calls to other contracts is a common pattern. Reviewing smart contracts individually doesn't work; the interoperability is extremely important as well. Overall, good report on the bug!
Analysis Summary
# Incident Report: Transit Swap Arbitrary External Call Exploitation
## Executive Summary
On October 2, 2022, the cross-chain DEX aggregator Transit Swap was exploited due to a critical lack of input validation in its routing smart contracts. An attacker leveraged a "confused deputy" vulnerability to make arbitrary external calls, stealing over $23 million in assets from users who had previously authorized the protocol to spend their tokens. The incident was mitigated through blockchain tracking and the identification of the attacker’s movements through centralized services.
## Incident Details
- **Discovery Date:** October 2, 2022
- **Incident Date:** October 2, 2022
- **Affected Organization:** Transit Swap
- **Sector:** Decentralized Finance (DeFi) / Cryptocurrency
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** October 2, 2022
- **Vector:** Arbitrary External Call / Confused Deputy
- **Details:** The attacker utilized the `callBytes` function in the routing bridge contract. Because the protocol did not validate the data passed from the routing proxy, the attacker was able to inject malicious parameters that pointed to the protocol's own permissions management contract.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; however, the attacker moved "horizontally" across user accounts by triggering the `claimTokens` function for every user address that had a standing token allowance (approval) for the Transit Swap permissions management contract.
### Data Exfiltration/Impact
- **Details:** Unauthorized transfer of multiple token types across Ethereum (ETH) and Binance Smart Chain (BSC) networks, totaling approximately $23 million.
### Detection & Response
- **How it was discovered:** Transaction monitoring by the SlowMist security team and community alerts following large-scale unauthorized outflows.
- **Response actions taken:** Security teams tracked the stolen funds to the attackers' addresses and monitored interactions with Tornado Cash and centralized exchanges (LATOKEN).
## Attack Methodology
- **Initial Access:** Exploitation of unvalidated user input in the `swap` functions of the routing proxy.
- **Persistence:** Not applicable; the attack was a series of atomic smart contract transactions.
- **Privilege Escalation:** Exploited the "trusted" status of the routing bridge to call the `claimTokens` function, which has the authority to move user funds.
- **Defense Evasion:** Use of Tornado Cash (2,500 BNB) to obfuscate the trail of stolen funds.
- **Collection:** Automated extraction of tokens from all users with active "approvals" for the Transit Swap contract.
- **Exfiltration:** Transfer of assets to attacker-controlled wallets `0x75F2…FD46` and `0xfa71…90b`.
- **Impact:** Theft of $23 million in digital assets.
## Impact Assessment
- **Financial:** Estimated loss of $23 million.
- **Data Breach:** Exposure of user wallet addresses and authorization balances (Public on-chain data).
- **Operational:** Temporary suspension of the Transit Swap protocol and cross-chain bridging services.
- **Reputational:** Significant loss of user trust due to the "confused deputy" vulnerability in a core security contract.
## Indicators of Compromise
- **Attacker Addresses:**
- 0x75F26...FD46 (Defanged)
- 0xfa711...90b (Defanged)
- **Malicious Transactions:**
- hxxps[://]bscscan[.]com/tx/0x181a7882aac0eab1036eedba25bc95a16e10f61b5df2e99d240a16c334b9b189
- hxxps[://]etherscan[.]io/tx/0x743e4ee2c478300ac768fdba415eb4a23ae66981c076f9bff946c0bf530be0c7
## Response Actions
- **Containment:** Community notification to revoke token approvals for the Transit Swap contracts.
- **Eradication:** Identification of the logic flaw within the routing bridge (0x0B4727…) and permissions management contract (0xeD1afC…).
- **Recovery:** Coordination with exchanges (LATOKEN) and investigators (MistTrack) to freeze or recover funds where possible.
## Lessons Learned
- **Input Validation:** Trusting user-supplied data in a "proxy" or "router" pattern without strict whitelisting of function selectors is a critical failure.
- **Interoperability Risks:** Security audits must not only look at contracts in isolation but also how they interact (e.g., Proxy -> Bridge -> Permissions Manager).
- **The "Allowance" Problem:** Users are at risk as long as they have active "Infinite Approvals" on a contract with an arbitrary call vulnerability.
## Recommendations
- **Implement Strict Whitelisting:** The routing bridge must only allow calls to a specific set of verified swap provider contracts and function signatures.
- **Input Sanitization:** Validate that the `from` address in any `transferFrom` call matches the actual transaction originator or an intended authorized path.
- **Automated Monitoring:** Deploy real-time monitoring to detect and pause contracts when a high volume of `transferFrom` calls are made to unnatural destinations.