Audit log

Every state-changing event for Transit Finance: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-28 03:38:06Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,639,876

   sig

   2Mdox6W85Beu…RXZF3sZJcopyexplorer ↗

   hash

   7y5rxXzb4kFr…6ZyFXEpZcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (21585 B) ▸

   {"actor":"system:backfill","investigation_id":"70051758-d12d-4915-a9ef-fea74ea20a92","kind":"publish","page_slug":"transit-finance","published_at":"2026-05-28T03:38:06.725Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Transit Finance","sections":[{"content":"Transit Finance operates as a decentralized cross-chain DEX aggregator under the brand name Transit Swap, aggregating liquidity from over 122 decentralized exchanges and four bridges, providing access to more than five million tokens across Ethereum, BNB Chain, TRON, Solana, Polygon, and other networks. The protocol is governed by TPT DAO, a decentralized autonomous organization associated with TokenPocket, a multi-chain self-custodial wallet. Product offerings include cross-chain swaps, fiat on/off ramps via seven providers, on-chain analytics, an NFT marketplace, and advanced trading tools. The protocol's smart contracts have been audited by PeckShield, according to the project's own documentation.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Transit Finance - IQ.wiki","type":"research","url":"https://iq.wiki/wiki/transit-finance"},{"credibility":2,"name":"Multi-chain DEX aggregator: Transit Swap — Transit Finance on Medium","type":"official","url":"https://medium.com/@TransitSwap/multi-chain-dex-aggregator-transit-swap-6f6c62ea3335"},{"credibility":2,"name":"Transit Finance Documentation","type":"official","url":"https://docs.transit.finance/"}]},{"content":"On May 13, 2026, blockchain security firm PeckShield flagged a suspected exploit targeting Transit Finance in which approximately $1.88 million was drained from the protocol. According to reporting by Crypto.news and CryptoTimes, the attacker exploited an early-version smart contract originally deployed on the TRON network. Transit Finance stated that this contract had been officially deprecated in 2022 but continued to exist on-chain and contained historical vulnerabilities that were recently leveraged by the attacker. The stolen funds — approximately 1.875 million DAI stablecoins and roughly 1.37 ETH — were consolidated into a single Ethereum wallet at address 0x8a634DfA2609358849D7D65FFA270C8A57a8abA5. On-chain data indicated this wallet was newly created shortly before the exploit, having handled only two small prior DAI transfers. Transit Finance sent an on-chain message to the attacker's wallet offering a bug bounty and a 48-hour white-hat window in exchange for return of funds. The team stated that the current operating framework and active contract version remained unaffected, and committed to fully compensating all affected users. The incident is categorized by NullTX and Phemex as emblematic of broader risks posed by deprecated but undecommissioned legacy smart contracts in DeFi. PeckShield's mid-May 2026 tally listed eight bridge-related exploits collectively draining $328.6 million year-to-date, a period in which Transit Finance's loss was among the smaller individual incidents.","heading":"May 2026 Exploit — Legacy TRON Smart Contract ($1.88M)","severity":"critical","sources":[{"credibility":2,"name":"Transit Finance hack drains $1.88M from cross-chain protocol — Crypto.news","type":"news_article","url":"https://crypto.news/transit-finance-hack-drains-1-88m-from-cross-chain-protocol/"},{"credibility":2,"name":"$1.88M Drained from Transit Finance: Stolen DAI Sits in Fresh ETH Wallet — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/13/1-88m-drained-from-transit-finance-stolen-dai-sits-in-fresh-eth-wallet/"},{"credibility":2,"name":"$1.88M Reportedly Drained in TransitFinance Exploit — NullTX","type":"news_article","url":"https://nulltx.com/1-88m-reportedly-drained-in-transitfinance-exploit-that-exposes-hidden-risks-of-legacy-smart-contracts/"},{"credibility":2,"name":"Transit Finance to Compensate Users After TRON Exploit — Phemex News","type":"news_article","url":"https://phemex.com/news/article/transit-finance-to-compensate-users-after-tron-smart-contract-exploit-80916"},{"credibility":2,"name":"Transit Finance hacked for $1.88 million — Web3 Is Going Great","type":"community_report","url":"https://www.web3isgoinggreat.com/single/transit-finance-hack"},{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as PeckShield Tracks 8 Major Incidents — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"}]},{"content":"On October 1–2, 2022, Transit Finance (then widely referred to as Transit Swap) suffered its first major exploit. Multiple security research firms — PeckShield, SlowMist, Bitrace, and TokenPocket — investigated the incident and identified the root cause as a failure to validate user-supplied calldata during token swaps. The vulnerability resided in the protocol's use of the transferFrom() function: the swap contract's routing proxy checked only calldata length and whitelisted bridge contract addresses, but not the actual calldata contents. The routing bridge contract similarly accepted swap addresses and call data without inspection. The permissions management contract's claimTokens function processed unconstrained parameters, allowing attackers to redirect user-approved tokens to arbitrary addresses. By constructing malicious calldata, the attacker drained tokens that users had previously approved for legitimate swaps across multiple chains, primarily Binance Smart Chain and Ethereum. Reported loss figures varied between sources: BeInCrypto and The Block reported approximately $21 million, while QuillAudits and BankInfoSecurity reported approximately $28.9 million. The discrepancy likely reflects differing methodologies for valuing multi-token losses at time of theft versus subsequent price changes. During the attack, an arbitrage bot front-ran the hacker and extracted approximately $1.1 million in BUSD separately. Security investigators obtained the attacker's IP address, email, and on-chain identifiers through collaboration between the four security firms. The attacker subsequently returned most stolen funds: approximately $19.146 million (roughly 70% of the larger figure) was returned within days. The hacker sent 10,000 BNB (approximately $2 million at the time) to Tornado Cash and claimed it as a self-declared bug bounty. Approximately $9.7 million in additional losses were reported as unrecovered at time of initial reporting. Transit Finance services were suspended immediately after discovery and restored after the recovery process.","heading":"October 2022 Exploit — Arbitrary External Call Vulnerability ($21M–$28.9M)","severity":"critical","sources":[{"credibility":2,"name":"Hacker Exploits $21M Vulnerability in Transit Swap — BeInCrypto","type":"news_article","url":"https://beincrypto.com/hacker-exploits-21m-vulnerability-in-transit-swap/"},{"credibility":1,"name":"Hacker returns 70% of $21 million taken from Transit Swap DEX — The Block","type":"news_article","url":"https://www.theblock.co/amp/post/174307/hacker-returns-70-of-21-million-taken-from-transit-swap-dex"},{"credibility":1,"name":"Transit Swap Exploiter Returns Large Chunk of $28.9M Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2022/10/03/transit-swap-exploiter-returns-large-chunk-of-289m-hack"},{"credibility":2,"name":"Hacker Steals $29M From Transit Finance, Returns $19M — BankInfoSecurity","type":"news_article","url":"https://www.bankinfosecurity.com/hacker-steals-29m-from-transit-finance-returns-19m-a-20196"},{"credibility":2,"name":"Transit Finance $28.9M Exploit Analysis — QuillAudits on Medium","type":"research","url":"https://quillaudits.medium.com/transit-finance-28-9m-exploit-analysis-quillaudits-5d8228956102"},{"credibility":2,"name":"Decoding Transit Finance's Contract Vulnerability — Neptune Mutual on Medium","type":"research","url":"https://medium.com/neptune-mutual/decoding-transit-finances-contract-vulnerability-977d2fda2897"},{"credibility":2,"name":"Transit Swap Bleeds $21M Loss amid Code Bug Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/transit-swap-21m-loss-code-exploit/"}]},{"content":"The May 2026 incident highlighted a recurring risk category in DeFi: smart contracts that are announced as deprecated by project teams but remain callable and funded on-chain. Transit Finance's TRON-deployed legacy contract was officially deprecated in 2022 following the first exploit, yet it persisted on-chain for approximately three and a half years before being exploited a second time in 2026. NullTX and multiple security commentators characterized the incident as a case study in the gap between administrative deprecation notices and technical decommissioning. Formally deprecating a contract without revoking its on-chain permissions, draining its liquidity, or disabling its callable functions leaves user funds exposed to dormant vulnerabilities indefinitely. Both exploits involved distinct but thematically related smart contract weaknesses: the 2022 attack exploited lack of calldata validation enabling arbitrary external calls; the 2026 attack exploited a historical vulnerability in the deprecated TRON contract's residual on-chain presence.","heading":"Smart Contract Risk — Legacy Contract Decommissioning Failure","severity":"high","sources":[{"credibility":2,"name":"$1.88M Reportedly Drained in TransitFinance Exploit — NullTX","type":"news_article","url":"https://nulltx.com/1-88m-reportedly-drained-in-transitfinance-exploit-that-exposes-hidden-risks-of-legacy-smart-contracts/"},{"credibility":2,"name":"Transit Finance to Compensate Users After TRON Exploit — Phemex News","type":"news_article","url":"https://phemex.com/news/article/transit-finance-to-compensate-users-after-tron-smart-contract-exploit-80916"},{"credibility":2,"name":"Decoding Transit Finance's Contract Vulnerability — Neptune Mutual on Medium","type":"research","url":"https://medium.com/neptune-mutual/decoding-transit-finances-contract-vulnerability-977d2fda2897"}]},{"content":"Following both exploits, Transit Finance publicly committed to compensating affected users. After the October 2022 incident, the team worked with security partners to recover a substantial portion of stolen funds and committed to covering any unrecovered user losses; approximately 70% of stolen assets were returned by the attacker. After the May 2026 incident, the team sent an on-chain message to the attacker's wallet offering a bug bounty reward in exchange for voluntary return of the remaining funds, with a stated 48-hour response window. The team also confirmed that an audit conducted on May 12, 2026 verified the security of the current active contract version. As of reporting at time of publication, no confirmation of fund return from the attacker in the May 2026 incident had been published by the sources consulted. Phemex and Cryptopolitan reported that Transit Finance committed to full compensation of affected users through official channels. It was not possible to independently verify the total compensation amounts actually disbursed in either incident based on available sources.","heading":"Team Response and User Compensation","severity":"medium","sources":[{"credibility":2,"name":"Transit Finance commits to refunds as $1.88M hack adds to May losses — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/transit-finance-to-refund-hack-may-losses/"},{"credibility":2,"name":"Transit Finance to Compensate Users After TRON Exploit — Phemex News","type":"news_article","url":"https://phemex.com/news/article/transit-finance-to-compensate-users-after-tron-smart-contract-exploit-80916"},{"credibility":2,"name":"Hacker Steals $29M From Transit Finance, Returns $19M — BankInfoSecurity","type":"news_article","url":"https://www.bankinfosecurity.com/hacker-steals-29m-from-transit-finance-returns-19m-a-20196"},{"credibility":2,"name":"Transit Finance Hacker to Return Remainder of Stolen Tokens — Chain Bulletin","type":"news_article","url":"https://chainbulletin.com/transit-finance-hacker-to-return-remainder-of-stolen-tokens"}]},{"content":"The May 2026 Transit Finance exploit occurred during a period of elevated cross-chain bridge attacks. PeckShield tracked eight major bridge-related exploits through mid-May 2026 with cumulative losses of $328.6 million. The largest single incident in this wave was the KelpDAO/LayerZero exploit on April 18, 2026 (approximately $300 million), in which a poisoned validator node authorized fraudulent cross-chain messages due to LayerZero's low RPC quorum default. Other incidents tracked included an $11.5 million Verus-Ethereum bridge exploit, a $2.8 million TAC Protocol incident that was subsequently reclassified as white-hat, and a $2 million IoTeX bridge private key exploit. Transit Finance's $1.88 million loss represented the smaller end of this incident cluster. Cumulative DeFi hack losses in 2026 were reported as exceeding $750 million through mid-April alone, according to Bitcoin.com News citing PeckShield data.","heading":"Broader Context — May 2026 Bridge and Cross-Chain Exploit Wave","severity":"medium","sources":[{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as PeckShield Tracks 8 Major Incidents — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"},{"credibility":3,"name":"Transit Finance Hack: $1.88M Stablecoin Drain and Flow Implications — AInvest","type":"news_article","url":"https://www.ainvest.com/news/transit-finance-hack-1-88m-stablecoin-drain-flow-implications-2605/"}]},{"content":"No regulatory actions, SEC or CFTC filings, OFAC sanctions, law enforcement charges, or court proceedings against Transit Finance, Transit Swap, TPT DAO, or associated entities were identified in the sources reviewed for this investigation. The 2022 incident involved cooperation between security firms and disclosure of the attacker's identifying information to assist in voluntary recovery efforts; no public record of prosecution resulting from that disclosure was found.","heading":"No Regulatory or Law Enforcement Actions Identified","severity":"low","sources":[]}],"sources_used":[{"credibility":2,"name":"Transit Finance hack drains $1.88M from cross-chain protocol — Crypto.news","type":"news_article","url":"https://crypto.news/transit-finance-hack-drains-1-88m-from-cross-chain-protocol/"},{"credibility":2,"name":"$1.88M Drained from Transit Finance: Stolen DAI Sits in Fresh ETH Wallet — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/13/1-88m-drained-from-transit-finance-stolen-dai-sits-in-fresh-eth-wallet/"},{"credibility":2,"name":"Transit Finance Hacked Again — CoinSpectator","type":"news_article","url":"https://coinspectator.com/mainstream/2026/05/13/transit-finance-hacked-again-cross-chain-defi-protocol-loses-1-88-million-in-latest-exploit/"},{"credibility":2,"name":"$1.88M Reportedly Drained in TransitFinance Exploit — NullTX","type":"news_article","url":"https://nulltx.com/1-88m-reportedly-drained-in-transitfinance-exploit-that-exposes-hidden-risks-of-legacy-smart-contracts/"},{"credibility":2,"name":"Transit Finance commits to refunds as $1.88M hack adds to May losses — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/transit-finance-to-refund-hack-may-losses/"},{"credibility":2,"name":"Transit Finance to Compensate Users After TRON Exploit — Phemex News","type":"news_article","url":"https://phemex.com/news/article/transit-finance-to-compensate-users-after-tron-smart-contract-exploit-80916"},{"credibility":2,"name":"Transit Finance hacked for $1.88 million — Web3 Is Going Great","type":"community_report","url":"https://www.web3isgoinggreat.com/single/transit-finance-hack"},{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as PeckShield Tracks 8 Major Incidents — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"},{"credibility":2,"name":"Hacker Exploits $21M Vulnerability in Transit Swap — BeInCrypto","type":"news_article","url":"https://beincrypto.com/hacker-exploits-21m-vulnerability-in-transit-swap/"},{"credibility":1,"name":"Hacker returns 70% of $21 million taken from Transit Swap DEX — The Block","type":"news_article","url":"https://www.theblock.co/amp/post/174307/hacker-returns-70-of-21-million-taken-from-transit-swap-dex"},{"credibility":1,"name":"Transit Swap Exploiter Returns Large Chunk of $28.9M Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2022/10/03/transit-swap-exploiter-returns-large-chunk-of-289m-hack"},{"credibility":2,"name":"Hacker Steals $29M From Transit Finance, Returns $19M — BankInfoSecurity","type":"news_article","url":"https://www.bankinfosecurity.com/hacker-steals-29m-from-transit-finance-returns-19m-a-20196"},{"credibility":2,"name":"Transit Finance $28.9M Exploit Analysis — QuillAudits on Medium","type":"research","url":"https://quillaudits.medium.com/transit-finance-28-9m-exploit-analysis-quillaudits-5d8228956102"},{"credibility":2,"name":"Decoding Transit Finance's Contract Vulnerability — Neptune Mutual on Medium","type":"research","url":"https://medium.com/neptune-mutual/decoding-transit-finances-contract-vulnerability-977d2fda2897"},{"credibility":2,"name":"Transit Swap Bleeds $21M Loss amid Code Bug Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/transit-swap-21m-loss-code-exploit/"},{"credibility":2,"name":"Transit Finance — IQ.wiki","type":"research","url":"https://iq.wiki/wiki/transit-finance"},{"credibility":2,"name":"Transit Finance Documentation","type":"official","url":"https://docs.transit.finance/"},{"credibility":2,"name":"Transit Finance Hacker to Return Remainder of Stolen Tokens — Chain Bulletin","type":"news_article","url":"https://chainbulletin.com/transit-finance-hacker-to-return-remainder-of-stolen-tokens"}],"summary":"Transit Finance (also known as Transit Swap) is a cross-chain DEX aggregator and trading platform governed by TPT DAO and affiliated with TokenPocket. The protocol has been exploited twice: first in October 2022 for an estimated $21–28.9 million via an arbitrary external call vulnerability, and again in May 2026 for approximately $1.88 million through a dormant legacy smart contract on TRON that had been officially deprecated but never decommissioned. In both incidents the team committed to user compensation; partial recovery was achieved in 2022.","timeline":[{"date":"2022-10-01","event":"Transit Finance (Transit Swap) suffers first major exploit. An attacker exploits a transferFrom() calldata validation failure, draining approximately $21–28.9 million in user-approved tokens across BSC and Ethereum.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2022/10/03/transit-swap-exploiter-returns-large-chunk-of-289m-hack"},{"date":"2022-10-02","event":"Transit Finance suspends services. PeckShield, SlowMist, Bitrace, and TokenPocket identify attacker's IP address, email, and on-chain identifiers.","source":"BankInfoSecurity","source_url":"https://www.bankinfosecurity.com/hacker-steals-29m-from-transit-finance-returns-19m-a-20196"},{"date":"2022-10-03","event":"Attacker begins returning stolen funds; approximately $19.146 million (roughly 70% of losses) is returned to Transit Finance. Attacker sends 10,000 BNB (~$2M) to Tornado Cash claiming a self-declared bug bounty.","source":"The Block","source_url":"https://www.theblock.co/amp/post/174307/hacker-returns-70-of-21-million-taken-from-transit-swap-dex"},{"date":"2022-10-06","event":"Additional $246,000 recovered from the 2022 attacker, per QuillAudits analysis.","source":"QuillAudits — Medium","source_url":"https://quillaudits.medium.com/transit-finance-28-9m-exploit-analysis-quillaudits-5d8228956102"},{"date":"2022-10-01","event":"Transit Finance officially deprecates the early-version TRON smart contract in the aftermath of the first exploit.","source":"NullTX","source_url":"https://nulltx.com/1-88m-reportedly-drained-in-transitfinance-exploit-that-exposes-hidden-risks-of-legacy-smart-contracts/"},{"date":"2026-05-12","event":"Transit Finance's current active contract version is confirmed secure by an internal audit, per team statement.","source":"Phemex News","source_url":"https://phemex.com/news/article/transit-finance-to-compensate-users-after-tron-smart-contract-exploit-80916"},{"date":"2026-05-13","event":"PeckShield flags the Transit Finance exploit. Approximately $1.875 million DAI and 1.37 ETH are drained from a legacy TRON smart contract deprecated since 2022. Stolen funds move to Ethereum wallet 0x8a634DfA2609358849D7D65FFA270C8A57a8abA5.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/05/13/1-88m-drained-from-transit-finance-stolen-dai-sits-in-fresh-eth-wallet/"},{"date":"2026-05-13","event":"Transit Finance sends an on-chain message to the attacker's wallet offering a bug bounty reward and a 48-hour white-hat window in exchange for return of funds.","source":"Crypto.news","source_url":"https://crypto.news/transit-finance-hack-drains-1-88m-from-cross-chain-protocol/"},{"date":"2026-05-13","event":"Transit Finance publicly commits to fully compensating all affected users and states that the current active protocol is unaffected.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/transit-finance-to-refund-hack-may-losses/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision e39129ed-55fb-4b9d-98d4-8262b01f6547copy