Background
On the afternoon of December 20, 2023, we observed that the Transit Swap project fell victim to a series of transaction attacks orchestrated by hackers across multiple public blockchains. The hackers successfully profited approximately $110,000 in total.
Below are the deployment addresses of the vulnerable contracts on various blockchains.
https://docs.transit.finance/en/reference/smart-contracts
Attack Transaction:
0x93ae5f0a121d5e1aadae052c36bc5ecf2d406d35222f4c6a5d63fef1d6de1081 (BSC Chain)
Attack Analysis
As the attacker targeted the project across multiple chains, this analysis focuses on the analysis of the attacker’s transaction data on the Binance Smart Chain (BSC), summarizing and organizing the transactions.
The hacker successfully exchanged approximately 0.01 BNB for about 173.9 BNB using the multi-path exchange functionality of the TransitSwapRouterV5 contract, as shown in the following image:
Examining the transaction stack data reveals that this exchange involved two consecutive operations. However, during the process, an unverified token pair contract (0x7d7583724245eeebb745ebcb1cee0091ff43082b) was called. The attacker exchanged the smallest unit of BNB (1/1e18 BNB) for approximately 43841.86 USDT. Notably, the amount obtained from this exchange matches the current USDT reserve balance of the TransitSwapRouterV5 contract.
Analyzing the contract logic based on the parameters of the attack transaction:
struct ExactInputV3SwapParams {
address srcToken; // 0x0000000000000000000000000000000000000000 BNB
address dstToken; // 0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c WBNB
address dstReceiver; // 0xece3f2645ed0910d4a10f4e262e9fe47c481d9de PancakePair FEE-WBNB (Hacker)
address wrappedToken; // 0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c WBNB
uint256 amount; // 10_000_000_000_000_000
uint256 minReturnAmount; // 1
uint256 fee; // 9_999_999_999_999_999
uint256 deadline; // 1703037712
uint256[] pools; // 0x100000000000000000000007d7583724245eeebb745ebcb1cee0091ff43082b FakePool
// 0x7d7583724245eeebb745ebcb1cee0091ff43082b WBNB-BUSD (Hacker)
// 0x1000000000000000000000036696169c63e42cd08ce11f5deebbcebae652050 WBNB-USDT
// 0x36696169c63e42cd08ce11f5deebbcebae652050 BUSD-WBNB (PancakeSwapV3)
bytes signature; // ""
string channel; // ""
}When the exchange path is greater than 1, the logic is as follows:
Digging into the _swap function to examine the specific exchange logic, it is evident that the internal exchange function, after interacting with the externally provided pool contract for token exchange, does not verify the exchanged funds. Instead, it directly uses the exchange amount returned by the pool for the next path of the exchange operation. This flaw enables the attacker to construct a fake pool contract and return the current USDT reserve of the TransitSwapRouterV5 contract within the swap function. Consequently, the attacker profits by initiating a second exchange.
Upon analysis, it is determined that the funds gained by the attacker ultimately flow into the Tornado Cash mixing platform.
Summary
In essence, the TransitSwapRouterV5 contract’s multi-path exchange function lacks successful exchange verification, enabling the attacker to use false exchange amounts in subsequent exchanges, leading to real funds being obtained and the attacker successfully profiting.
Security Recommendations
- When exchanging tokens through multiple paths, validate the provided token pool or verify the results of multi-path exchange operations. If funds from a particular exchange are not received or the exchange fails, consider rolling back to prevent attackers from exploiting false exchanges using fake token pools.
- It is advisable for project teams to conduct multiple audits before deploying contracts to production to avoid missing critical audit steps.
