Name

Request the latest threat intelligence and newest custom research based on relevant Web3 contextual factors. This unique service is the only way to unlock direct access to CertiK Intelligence Analysts

Account Settings

Profile

accountItemTitle.sign-out

Watchlists

Have your code reviewed by CertiK’s team of seasoned security experts, who have audited 1000’s of projects

Effective findings culminated through performing thousands of audits and a cross-check against a large internal database of security vulnerabilities.

Receive rich reporting, covering findings and recommendations on on how to remediate vulnerabilities.

Our unparalleled expertise in Web3 security and risk management ensures that clients make informed decisions about their investments.

Whether a project has been audited by CertiK

Smart Contract Audit Process

Audited by CertiK

Active Bounty

CertiK Contract Verified

CertiK Formal Verification

CertiK KYC

CertiK Penetration Testing

CertiK Skynet

Top 10% Code Security Score

Top 10% Community Trust Score

Top 10% Fundamental Health Score

Top 10% Governance Strength Score

Top 10% Market Stability Score

Top 10% Operational Resilience Score

Top 10% Security Score

Top 10% Trust Score

Top 10% Watchlisted

CertiK is Web3's leading smart contract auditor and provides a comprehensive suite of tools to secure the industry at scale.

Provable Trust For All.

Securing The

World

Identify and eliminate security vulnerabilities in blockchains, smart contracts, and Web3 apps using the most rigorous and thorough cybersecurity techniques.

You can now discover projects within the same categories or ecosystems, by clicking the ecosystem icon or category tag within their security leaderboard columns.

Crowdsourcing from a list of the world's top ethical hackers to provide you continuous assessment, for uncovering vulnerabilities before anyone else does.

About

We're Hiring

Disclaimer

Worker Validation

Partnership

Resources

Testimonials

Ventures

CertiK audits all of Web3, from decentralized applications to the blockchains they’re built on. We work closely with clients to deliver tailor-made security solutions.

Our industry-leading audit methodology and tooling includes a review of your code’s logic, with a mathematical approach to ensure your program works as intended.

Our industry-leading L1 chain auditing process combines expert manual review of smart contract code with advanced AI and mathematical techniques to ensure blockchain protocols work as intended.

CertiK’s speed in execution of audits at scale leaves the competition behind. But don't just take our word for it, listen to what our customers are saying:

Every smart contract audit involves comprehensive manual review by our team of experienced security experts. Automated AI-powered review provides an additional layer of security. Formal verification is an optional further step that certifies smart contract behavior with respect to custom function specifications. This helps developers get a handle on the entire scope of their platform.

How Does a Smart Contract Audit Work?

Every audit involves comprehensive manual review by our team of experienced security experts. Formal verification certifies L1 chain code behavior with respect to custom function specifications, helping developers get a handle on the entire scope of their platform. The process of auditing an L1 is the same as for auditing a smart contract. The five-step process is as follows:

Report an incident if you are under cyber attack and need help!

24/7 Incident Response

An L1 chain audit provides a comprehensive security assessment of a Layer 1 blockchain to identify vulnerabilities and recommend ways to fix them.

CertiK has audited nearly a dozen L1s, along with projects written in all major programming languages, thousands of Web3 projects, and tens of thousands lines of code. As a pioneer in the blockchain security industry, CertiK brings expertise that can only be gained from years of experience with thousands of projects to each and every L1 chain audit.

Web3 Security Leaderboard

What's New

Visit the project’s profile page directly for more details about their status. Some projects may temporarily display as ‘Pending’ but will be available soon.

CertiK has audited thousands of Web3 projects and tens of thousands lines of code written in all major smart contract programming languages.

We bring expertise that can only be gained from years of experience with thousands of projects to each and every audit.

When it comes to security, only the best will do.

productsItemDescription.security-scores-ranking

Advisory Services

Bug Bounty

Formal Verification

Incident Response

L1 Chain Audit

Penetration Testing

Security Score

Security Scores & Ranking

Sky Harbor

SkyHarbor

SkyInsights

Skynet

SkyTrace

Smart Contract Audit

Web 3 Security Audit

Protect Your Project Today

Security Score evaluates a project’s real-time security posture using on-chain and off-chain data.

Sign up and gain access to curated features like watchlist and so on in two simple steps.

SkyHarbor can quickly identify vulnerabilities or suspicious activities in your system, ensuring that your assets are safe and secure.

Actively monitor on-chain smart contracts in real time and present actionable security and Web3 app data insights for the community.

A comprehensive security assessment of your smart contract and blockchain code to identify vulnerabilities and recommend ways to fix them.

What’s in a Smart Contract Audit Report?

smartContractAuditSubtitle

An index measuring a crypto project's relative security, market performance, and social sentiment

Providing the largest coverage on languages and ecosystem, as well as faster onboarding options, depending on project code size.

We offer strategic investments and comprehensive security solutions, leveraging our expertise to support and develop the future of Web3.

CertiK Ventures

Clients receive rich reports on their smart contract code, complete with comprehensive vulnerability analyses and recommended remediations.

CertiK KYC provides private identity verification for project teams through a rigorous vetting process while maintaining the highest standards of data protection.

[Transit Swap](https://www.transit.finance/en/) is billed as a "cross-chain swap platform that integrates DEXs to aggregate transactions." 

Token Swap's developers paused the contracts after the exploit was noticed, though not before users had seen 49,815 BNB and 5,182 ETH transferred out of their wallets.

Using Skytrace to visualize the attacker's wallet immediately highlights a number of things.

![Transit Skytrace1](//images.ctfassets.net/v0qht4wq59vi/3mCGvH9OulR1URthY18ByW/f0bc792cc2470e8ad0a0c34f555665ef/Screen_Shot_2022-10-01_at_6.46.41_PM.png)
*Visualizing the attacker's wallet using [Skytrace](https://www.certik.com/skytrace/bsc:0x75f2aba6a44580d7be2c4e42885d4a1917bffd46)*

First, the huge amount of individual wallets that the attacker's EOA has interacted with makes it clear that this was not a hack of a single Transit Swap contract. Rather, the attacker likely abused some vulnerability in the __Transit Swap&Cross Approve Proxy__ contract to individually drain hundreds of addresses.

![Transit Skytrace Tornado](//images.ctfassets.net/v0qht4wq59vi/76pvM70SZKR8B29eYklBoQ/0b51ff4f8ae445f65c8d17fdcf3a1652/Screen_Shot_2022-10-01_at_6.46.15_PM.png)

Second, thanks to Skytrace's address labeling, we can see that the attacker has begun to transfer the stolen funds to Tornado Cash on BNB Chain. So far, they have effectuated 25 deposits of 100 BNB (~$49k) for a total of $1,225,146.86.

The attacker [bridged](https://etherscan.io/tx/0xb314ddb55a14f1515a3a2ea46a5cac035197a321d9e09d730bf6443c932857d1) 2,000 of the stolen ETH from Ethereum to BNB Chain using Multichain's cross-chain router.

Their BNB Chain [wallet](https://bscscan.com/address/0x75f2aba6a44580d7be2c4e42885d4a1917bffd46) currently holds 1,499 ETH and 49,612 BNB.

Transit Swap released the following announcement in English and Mandarin on their Twitter page.

![Transit Tweet](//images.ctfassets.net/v0qht4wq59vi/wcwCQQfPkCIR5C5k31jWK/1f47d9f64ea924ef1814145d00834dce/Screen_Shot_2022-10-01_at_6.56.19_PM.png)

While Transit Swap has paused their contracts, any user who has interacted with the protocol – and particularly anyone who has approved the __Transit Swap&Cross Approve Proxy__ contract – should immediately transfer any funds to an address which has had no contact with the platform.


Transit Swap – a cross-chain aggregator – has suffered a breach of its smart contracts. $20 million has been stolen from addresses which had previously interacted with the protocol.

Products & Technology

KYC

Smart Contract Audit

Bug Bounty

L1 Chain Audit

Incident Response

Penetration Testing

Advisory Services

Skynet

SkyHarbor

SkyInsights

Formal Verification

Security Score

Featured Ecosystems

BNB Chain

Ethereum

WEMIX

Avalanche

Solana

Algorand

NEAR

Cosmos

Polygon

Aptos

Arbitrum

Company