follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit


Author Topic: Transit Swap Suffers $28.9M Hack: How Can We Prevent Excessive Contract Authoriz  (Read 408 times)

CoinEx

  • Full Member
  • *
  • Activity: 170
  • points:
    6869
  • Karma: 2
  • Trade Count: (0)
  • Referrals: 0
  • Last Active: December 02, 2022, 02:43:02 PM
    • View Profile

  • Total Badges: 8
    Badges: (View All)
    One year Anniversary 100 Posts 50 Posts
Just recently, Transit Swap, a cross-chain swap aggregator platform, announced that it had suffered a hack. According to the official announcement on October 12, the hack resulted in a loss of $28.9 million in funds. Following the request of Transit Swap, the whitehat hacker has returned funds worth $24 million, and $4.9 million of the stolen funds are still not returned.



Reasons behind the hack
According to the official announcement, Transit Swap examined the hack and confirmed that it was caused by a bug in the codes. Later, SlowMist released a report, which includes a detailed analysis of the incident.

Essentially, Transit Swap is a cross-chain DEX aggregator that pools together mainstream DEX data to provide services for users. When swapping cryptos on the platform, users have to go through a routing bridge contract and grant it authorization. Once authorized, the routing bridge contract will be able to call the Token to be used for swapping.

That said, Transit Swap’s code design suffers from a fatal flaw. According to SlowMist, Transit Swap’s routing proxy contract, routing bridge contract, and permissions management contract failed to check the incoming data that includes parameters received, call data, and exchange contract address during token swapping, which led to the hack.

Upon discovering the loophole, the hacker uploaded the data he built and called the routing bridge contract. Finally, the hacker’s exchange contract address was appointed as the permissions management contract address, allowing him to drain the tokens of all users who had granted permission.

Risks of excessive authorization
Although the whitehat hacker has returned over 80% of the stolen funds, the remaining stolen funds still hit users hard. Looking back at the hack, we can see that the hacker targeted those who had granted Transit Swap permission.

When using a DApp, we often receive authorization requests from the DApp. DApps must be authorized before we interact with the contract because our authorization will allow the DApp contract to move our crypto assets for operations such as swapping or lending.

To reduce the number of authorizations needed, most developers would request users to authorize the corresponding smart contract to move a considerable token amount. For instance, in the case of PancakeSwap, as shown in the figure below, when a USDC transaction is given permission, the approved amount is a staggering 1071. This approach saves users the trouble of repeated permissions and reduces the amount of gas fees required. For example, if USDC is needed again for swapping, no approval will be required, and the user will not have to pay gas fees for another permission.



However, as the authorization involves a huge token amount (1071), while saving you time and a small amount of fee, the contract gains unlimited permission to transfer USDC from your wallet. In the event of a hack just like what happened to Transit Swap, the hacker would also be able to drain your USDC. After all, no one actually owns 1071 USDC.

How can we guard against risks associated with excessive authorization?
1. Do not keep all your assets in one wallet
When interacting with DApps, we can put our assets into different categories, the more the better. For instance, we can put cryptos that we wish to hold over the long term in a wallet and store a small amount of cryptos in another wallet for interactions with DApps. In this way, we will be able to minimize our losses even if the contract is exploited by hackers.

2. Grant small-amount permissions
Although granting permissions that involve a large token amount saves us time and gas fees, the approach creates more risks in the event of a hack. To avoid greater losses, we should try to minimize the token amount authorized. For instance, if 100 USDC is needed for swapping in a transaction, then change the approved amount from 1071 to 100 by editing the permission, which matches the amount needed. In this way, the contract will no longer use your assets after the transaction, and hackers would not be able to empty your USDC balance even if the contract is hacked.



3. Revoke authorizations on a regular basis
When it comes to authorized contracts, we can withdraw our authorizations regularly to keep our wallets safe. Here, we will show you how to revoke your authorizations using the tools available on Etherscan.

First, go to etherscan.io/tokenapprovalchecker and click on “Connect to Web3”.



Once your wallet is connected to Etherscan, you’ll be able to check the approvals (authorizations) granted concerning your tokens (ERC-20) and NFTs (ERC-721 & ERC-1155). To withdraw your approval, you can simply click on “Revoke” in the last column.



Next, the specific information for revoking your approval will pop out, and you can click on “Revoke” to go to the next step.


Finally, you’ll need to confirm the revocation and pay the gas fee. In the “Edit permission” page, you’ll find that revoking an approval means changing the proposed approval limit to 0, which bans the contract from using your assets.

In addition to Ethereum, other blockchain explorers also allow users to revoke authorizations. Common websites for authorization revocation include:



Revoke authorization on ETH: etherscan.io/tokenapprovalchecker
Revoke authorization on BSC: bscscan.com/tokenapprovalchecker
Revoke authorization on Polygon: polygonscan.com/tokenapprovalchecker
Revoke authorization on AVAX: snowtrace.io/tokenapprovalchecker
Revoke authorization on HECO: www.hecoinfo.com/tokenapprovalchecker
Revoke authorization on Solana: solscan.io/account/
In the crypto world, it is impossible to examine the security of all contracts, and we can only try to protect ourselves and be more aware of our asset security. By granting fewer permissions, we can reduce asset losses arising from external security breaches and keep our assets safe.

Altcoins Talks - Cryptocurrency Forum


msz900

  • Hero Member
  • *
  • *
  • *
  • Activity: 1041
  • points:
    42070
  • Karma: 31
  • Pawsome
  • Trade Count: (0)
  • Referrals: 0
  • Last Active: December 03, 2022, 02:08:30 PM
    • View Profile

  • Total Badges: 19
    Badges: (View All)
    1000 Posts 10 Posts First Post
After listening to one-after-another Hack news, I assume that Crypto security has been highly compromised and Hacker now knows wher and how to hit hard. I am in doubt, that Binance will be the next Target.
     ▄██▄         ▄██▄
    ▄████▄       ▄█████
    █  █████ █████▄
   █ ▄██████ ██████▄
   ███████   ██████
  ▄███      ▀  ▀      ██
 ████  ▄▄▄       ▄▀▄  ███
████     ▀  ▄▄▄▄ ▀█▀   ███
██     ▄   ▀▄█▀   ▄    ██
▀█      ██▄ ▄██▄ ▄██     █▀
 ▀▄▄     ▀█▀▄▀██▀    ▄▄▀
    ▀▄▄   ▀████▀    ▄▄▀
       ▀▀▄▄▄▄▄▄▄▄▄▀▀

█████████████▄▄
████████████████▄
██████     ▀█████     ▄▄▄▄▄                                        ▄▄▄           ▄▄▄▄▄                ▄▄▄       ▄▄▄           ▄▄▄▄
██████      █████ ▄███████████   █████      █████      █████  ▄█████████    ▄▄█████████▄▄    ███▄▄████████▄▄████████▄     ▄█████████▄
██████▄▄▄▄▄██████ ▀█▀▀▀ ▀▀█████   █████    ███████    █████   ███▀    ▀▀   ▄███   █   ███▄   █████▀   ▀█████▀   ▀████    ███▀     ███▄
███████████████▀      ▄▄▄▄█████    ████▄  ████▀████   ████▌   ████▄▄       █▌ ▀▄▄▄█▄▄█▀ ██   ████      ████      ████   ████▄▄▄▄▄▄████
██████▀▀▀▀▀▀▀    ▄▄██████▀█████    █████ █████ ████  ████      ▀██████▄    ██▄▄▀     ▀▄▄██   ████      ████      ████   ████▀▀▀▀▀▀▀▀▀▀
██████          ▐████▀    █████     ████▄████   ████ ████         ▀▀████   ███         ███   ████      ████      ████   ████
██████          ▐█████▄▄▄██████▄    ▀████████   ████████      ▄▄    ▄███    ██   ▄▄▄   ██    ████      ████      ████    ████▄    ▄██
██████           ▀███████▀▀█████     ███████     ██████       ▀████████▀     ▀█████████▀     ████      ████      ████     ▀█████████▀
.RACE NOW.

Altcoins Talks - Cryptocurrency Forum


 

ETH & ERC20 Tokens Donations: 0x2143F7146F0AadC0F9d85ea98F23273Da0e002Ab
BNB & BEP20 Tokens Donations: 0xcbDAB774B5659cB905d4db5487F9e2057b96147F
Powered by SMFPacks Social Login Mod