Context:

A smart contract vulnerability allowed for the exploitation of Transit Finance on the Ethereum Mainnet and the BNB chain on December 20, 2023, resulting in a loss of funds estimated at $115,000.

About Transit Finance:

Transit is a cross-chain swap platform that integrates DEXs, aggregates transactions, and provides a one-stop cross-chain solution.

Vulnerability Analysis:

The root cause of the exploit is the lack of input validation for the pool.

Step 1️⃣ :

The vulnerable contract exhibited deceptive behavior; the pre-deployed fake token pair manipulated the swapping route, providing a false value without executing any actual token transfers.

This misleading action coerced the transit finance route into validating an unforeseen swap.

Step 2️⃣ :

The absence of proper validation allowed the attacker to fabricate a pool, manipulating the 'actualAmountIn' parameter during the first swap. As a result, the SwapRouter utilized this altered value, causing an unintended surge in asset allocation during the subsequent WBNB/BUSD pool swap.

Step 3️⃣ :

The attacker sent stolen assets to their PancakePair before inflating and cashing out for profits. The exploiter swiftly laundered 36 ETH ($78,000) and 147 BNB ($37,300) via Tornado Cash.

Team’s Activity:

The team avoided directly acknowledging the exploit on social media but assured users that their assets remained secure. They did confirm implementing a contract upgrade in response.

Solution:

Thorough validation of data types is essential in smart contract design. Ensuring strict verification of input types prevents the misuse of functions due to incorrect or maliciously manipulated data.

How DeHack protects:

At DeHack, proactive measures and advanced technology ensure Web3 ecosystem safety by detecting and addressing vulnerabilities in advance, fostering resilience and trust.

 #CryptoSecurity #Web3Security