On December 20, 2023, Transit Finance was hacked on multiple blockchain platform (BSC, ETH, etc.) with ~110k total loss due to a lack of pool input validation.

NOTE: The vulnerability do not affect on user assets.

Overview

Attacker address:

• BSC: 0xf755…

• ETH: 0xf755…

Vulnerable contract: TransitSwapRouterV5

Attack transaction: 0x93ae… (example on BSC)

Analysis

Check the main vulnerable code:

The Router V5 allows users to execute V3 swaps between different pools (for arbitrage purposes) using Uniswap/Pancakeswap. See the flow illustration below:

Let’s focus the swap in for loop process, the attacker manipulates pool[0] with his address. As a result of the attacker's controlled amount of tokenOUT in the first swapping, the Router V5 contract transfer amount of token was more than expected.

I have reproduced the POC and published at th13vn/TransitFinancePoC.

Conclusion

When building your own project, it does not trust any user input. Any parameter given must be validated by the code. Furthermore, conducting a security audit is usually suggested in these instances, particularly for projects with big assets.

The IMPORTANT NOTE: When you design a router or a helper contract that support interacting with other contracts, you should not put the token funds here. The fee amount should be transferred to the "fee keeper" to be kept.

The Verichains team regularly updates the most recent vulnerabilities discovered in projects they have assessed and those they are presently auditing, as well as information from the blockchain security community.