Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 104Smart Contract Bug

Transit Swap Approval Drain

Transit Swap users with infinite approvals lost $21M when claimTokens failed to validate which token to call transferFrom on. 70% returned after on-chain talks.

Date
Victim
Transit Swap
Chain(s)
BNB ChainEthereum
Status
Partially Recovered

On October 2, 2022, the cross-chain DEX aggregator Transit Swap was exploited for approximately $21 million through a missing parameter validation in its claimTokens function. The attacker drained users who had granted infinite token approvals to Transit's permissions-management contract. After on-chain negotiation, 70% of the funds was returned, classifying the event as a (very expensive) white-hat operation.

What happened

To use Transit Swap, users granted token approvals to the protocol's permissions-management contract, allowing it to spend tokens on the user's behalf during swaps. The contract's claimTokens function was responsible for performing the actual transferFrom call against the user's approved balance.

The vulnerability: claimTokens accepted the token contract address as a user-provided parameter and did not validate it against any allowlist or expected source. The function would happily call transferFrom on any token address the caller specified, against any user who had approved Transit to spend that token.

The attack:

  1. The attacker enumerated wallets holding infinite approvals to Transit Swap's contract.
  2. For each victim, called claimTokens with the victim's address as the source and the attacker's address as the destination.
  3. The contract, lacking the validation, executed the transfer.
  4. Drained ~$21M across multiple tokens (USDT, USDC, BUSD, ETH, BNB, etc.).

Aftermath

  • Transit Swap paused the affected contract and engaged with the attacker via on-chain messages.
  • After several days of negotiation, the attacker returned approximately 70% of the stolen funds to a recovery address.
  • The team distributed the recovered funds back to affected users on a pro-rata basis.
  • Transit suffered a second smaller exploit months later under different conditions.

Why it matters

Transit Swap is part of a long lineage of DEX aggregator approval-drain bugs — protocols that hold user approvals must rigorously validate every parameter that determines how those approvals are spent. The pattern recurs at:

  • Furucombo (2021) — delegatecall to attacker-controlled target.
  • Sushi RouteProcessor2 (2023) — missing access check inside swap.
  • LI.FI (2024) — facet validation missing in a fresh deployment.
  • Transit Swap (2022) — claimTokens accepting attacker-chosen source.

In every case, the protocol's own contracts are technically working as designed; the bug is that users granted approvals expecting the protocol to constrain how those approvals would be exercised, and the protocol's constraint logic had a gap. The defensive answer — bounded approvals, EIP-2612 permits, and per-transaction signature gating — is becoming standard but lags the rate at which approval-based aggregators ship new code.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-transit-swap-hack-october-2022
  2. [02]theblock.cohttps://www.theblock.co/post/174307/hacker-returns-70-of-21-million-taken-from-transit-swap-dex
  3. [03]blog.solidityscan.comhttps://blog.solidityscan.com/transit-swap-hack-analysis-13c1e04e7de0/

Related filings