Transit Finance

avoid.net/transit-finance→22/100·83% conf.

[AI-DRAFTED · AWAITING VERIFICATION]

22/100

[CRITICAL]83% conf.

Summary

Transit Finance (also known as Transit Swap) is a cross-chain DEX aggregator supporting over 122 decentralized exchanges across Ethereum, BNB Chain, TRON, Solana, Polygon, and other networks. The protocol has suffered two confirmed security exploits: a $28.9 million hack in October 2022 due to an arbitrary external call vulnerability in its routing contract, with approximately $18.9 million recovered; and a second $1.88 million exploit in May 2026 via a deprecated TRON smart contract that remained on-chain and exploitable years after official deprecation. ZachXBT flagged the protocol amid broader DeFi monitoring, and the 2022 attacker routed funds through OFAC-sanctioned Tornado Cash.

Connected Entities

1 entities · 10 linked investigations

Protocols

⌂Transit Finance

Relationships

+ 2 more

Also appears in

Matcha Meta·28 CATFI Memecoin / Eth Father (Park)·2 Adshares Bridge (ADS)·28 Delio (South Korea Crypto Lender Fraud)·3 CrossCurve Bridge·28 SKP / Skippy Token·4 Kelsier Ventures·4 TAC Protocol Bridge·38 Fake Jupiter CJUP Airdrop Phishing Campaign·0 Solana MEV Sandwich Bots·5

Have evidence about Transit Finance?

Timeline(11 events)

2021-06-01

Transit Finance launches Transit Swap as a cross-chain DEX aggregator supporting Ethereum, BNB Chain, TRON, Polygon, and other networks.

2022-08-08

OFAC adds Tornado Cash to the Specially Designated Nationals list. The attacker in the upcoming Transit Finance exploit will use this sanctioned mixer two months later.

2022-10-02

Transit Finance (Transit Swap) suffers first major exploit. An attacker exploits an arbitrary external call vulnerability in the _claimTokens function, draining approximately $21–28.9 million in user-approved tokens across BNB Chain and Ethereum.

2022-10-03

PeckShield, SlowMist, Bitrace, TokenPocket, and CertiK collaborate to track the attacker via IP address, email, and on-chain identifiers. Attacker returns approximately $18.9 million (~70%) and sends 10,000 BNB (~$2M) to Tornado Cash as alleged bug bounty.

2022-10-06

Additional $246,000 recovered from the 2022 attacker per QuillAudits analysis.

2022-10-10

Attacker transfers 10,000 BNB ($2.74M) to victims and separately routes 2,500 BNB ($686K) to OFAC-sanctioned Tornado Cash.

2022-10-21

Transit Swap officially relaunches after a SlowMist security audit. Transit Finance establishes Transit Security Fund (10% of monthly revenue) and announces bug bounty program up to $1 million.

2024-12-01

U.S. Fifth Circuit Court of Appeals limits OFAC's sanctions authority over Tornado Cash's immutable smart contracts, beginning the process that leads to Tornado Cash delisting.

2025-04-01

U.S. Treasury delists Tornado Cash from OFAC sanctions following Fifth Circuit ruling.

2026-05-12

Attacker exploits a deprecated TRON-deployed legacy smart contract, draining approximately $1.875 million DAI plus ~1.37 ETH. Funds moved to a newly created Ethereum wallet. PeckShield detects and flags the breach.

2026-05-13

Transit Finance sends on-chain message to attacker offering bug bounty with 48-hour window. Project publicly commits to fully compensating affected users and states current contract version is unaffected. ZachXBT flags the incident.

Provenance & Audit Trail

Anchored on Solana Verify on-chain

Decision Log

#1publish⛓ anchored · slot 4226398765/28/2026, 3:38:06 AM
hash: 7y5rxXzb4kFrHtrJjdGrgNPW4idx1BFJHfUs6ZyFXEpZ

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-6

generated: 5/28/2026, 3:37:52 AM

last updated: 5/28/2026, 3:43:55 AM

avoid.net — verified advice for a post-truth world