Transit Swap: Controllable transferFrom() in unverified (closed-source) swap contract — approval drain
Transit Swap's closed-source contract had a fully controllable transferFrom() that let an attacker drain $21M from any wallet with active approvals — 70% was returned only after security teams uncovered the hacker's identity.
Summary #
Transit Swap suffered a DEX Aggregator / Cross-Chain Swap on 2022-10-01, resulting in a loss of approximately $21M.
What happened #
Transit Swap's closed-source contract had a fully controllable transferFrom() that let an attacker drain $21M from any wallet with active approvals — 70% was returned only after security teams uncovered the hacker's identity.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — contracts were not even verified on-chain]
- RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
- RD-F-046 — causal : ★ Contract unverified on Etherscan/Sourcify at launch [via cross-hack: Factor 30: Closed-Source / Unverified Contracts]
- RD-F-096 — illustrative : New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Unverified (closed-source) contracts on a live swap aggregator; large-scale approval draining across multiple wallets simultaneously]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown — raised suspicion of potential insider involvement]