On October 2, 2022, an attack occurred on Transit Swap, a cross-chain DEX aggregator, resulting in the unauthorized transfer of user assets.
The SlowMist security team determined that the amount of funds stolen exceeded $23 million. The security team was also able to pinpoint the hackers’ addresses, which were 0x75F2…FD46 and 0xfa71…90b. The following is a synopsis of the attack:
1. When a user swaps at Transit Swap, they initially pass through the routing proxy contract (0x8785bb…). Different routing bridge contracts are selected depending on the type of exchange. The routing bridge contract (0x0B4727…) will pass the ‘claimTokens’ function of the permissions management contract (0xeD1afC…). The ‘claimTokens’ function then transfers the tokens to be redeemed by the user to the routing bridge contract. Therefore, before the tokens can be exchanged, the user must first authorize the permissions management contract (0xeD1afC…).
2. The ‘claimTokens’ function is used to transfer funds by invoking the ‘transferFrom’ function of the specified token contract. The parameters it receives are passed in by the upper-layer routing bridge contract (0x0B4727…). These parameters are unrestricted, with the exception that the caller must be either a routing proxy contract or a routing bridge contract.
3. The route bridge contract(0x0B4727…) will call the swap contract for specific swap operations after receiving the tokens to be exchanged by the user. Since the address of the swap contract and the call data are all determined by the upper-layer route proxy contract(0x8785bb.. .) is passed in, the route bridge contract does not check the parsed swap contract address and call data.
4. The parameters passed in by the route proxy contract(0x8785bb…) to the route bridge contract(0x0B4727…) also come from the parameters passed in by the user. And the route proxy contract(0x8785bb…) only ensures that the length of each data in the calldata passed in by the user meets the expectations and that the called route bridge contract is the address in the whitelist mapping, and does not specifically check the calldata data.
5. As a result, the attacker takes advantage of the fact that neither the routing proxy contract, the routing bridge contract, nor the permissions management contract checks the incoming data. The routing bridge contract’s callBytes function is invoked with the routing proxy contract’s constructed data. The callBytes function parses the attacker’s exchange contract and redemption data, where the exchange contract is the permissions management contract’s address and the redemption data is designated to call the ‘claimTokens’ function. The ‘claimTokens’ function is used to send the tokens of the user specified to the attacker’s token address. This is achieved by stealing tokens from all users who have authorized the permissions management contract.
The main reason for this attack is that the Transit Swap protocol does not strictly validate the data passed in by the user during token exchange, which results in an arbitrary external call. The attacker exploited this vulnerability in the arbitrary external call to steal tokens that were authorized by users.
So far, the hacker has transferred 2,500 BNB to Tornado Cash. By examining the hacker’s transaction history, we were able to unearth evidence of the hacker’s use of LATOKEN and other services to deposit and withdraw funds. MistTrack will continue to monitor the movement of these stolen funds as well as the hacker’s activities.