On October 1, beginning at 06:33:47 PM +UTC, hundreds of wallets which had interacted with Transit Swap began to have their assets stolen and transferred to an attacker's externally-owned account (EOA). Losses are currently in excess of $20 million.
Transit Swap is billed as a "cross-chain swap platform that integrates DEXs to aggregate transactions."
Token Swap's developers paused the contracts after the exploit was noticed, though not before users had seen 49,815 BNB and 5,182 ETH transferred out of their wallets.
Using Skytrace to visualize the attacker's wallet immediately highlights a number of things.
Visualizing the attacker's wallet using Skytrace
First, the huge amount of individual wallets that the attacker's EOA has interacted with makes it clear that this was not a hack of a single Transit Swap contract. Rather, the attacker likely abused some vulnerability in the Transit Swap&Cross Approve Proxy contract to individually drain hundreds of addresses.
Second, thanks to Skytrace's address labeling, we can see that the attacker has begun to transfer the stolen funds to Tornado Cash on BNB Chain. So far, they have effectuated 25 deposits of 100 BNB (~$49k) for a total of $1,225,146.86.
The attacker bridged 2,000 of the stolen ETH from Ethereum to BNB Chain using Multichain's cross-chain router.
Their BNB Chain wallet currently holds 1,499 ETH and 49,612 BNB.
Transit Swap released the following announcement in English and Mandarin on their Twitter page.
While Transit Swap has paused their contracts, any user who has interacted with the protocol – and particularly anyone who has approved the Transit Swap&Cross Approve Proxy contract – should immediately transfer any funds to an address which has had no contact with the platform.