On December 20, 2023, Transit Finance was hacked on multiple blockchain platform (BSC, ETH, etc.) with ~110k total loss due to a lack of pool input validation.
NOTE: The vulnerability do not affect on user assets.
Overview
Attacker address:
Vulnerable contract: TransitSwapRouterV5
Attack transaction: 0x93ae… (example on BSC)
Analysis
Check the main vulnerable code:
The Router V5 allows users to execute V3 swaps between different pools (for arbitrage purposes) using Uniswap/Pancakeswap. See the flow illustration below:
Let’s focus the swap in for loop process, the attacker manipulates pool[0] with his address. As a result of the attacker's controlled amount of tokenOUT in the first swapping, the Router V5 contract transfer amount of token was more than expected.
I have reproduced the POC and published at th13vn/TransitFinancePoC.
Conclusion
When building your own project, it does not trust any user input. Any parameter given must be validated by the code. Furthermore, conducting a security audit is usually suggested in these instances, particularly for projects with big assets.
The IMPORTANT NOTE: When you design a router or a helper contract that support interacting with other contracts, you should not put the token funds here. The fee amount should be transferred to the “fee keeper” to be kept.