Cross-chain aggregator Transit Finance will compensate users for a $1.88 million exploit after attackers drained DAI stablecoins from a deprecated smart contract on the TRON network.
"The stolen funds are currently sitting in the following address in $DAI: 0x8a634DfA2609358849D7D65FFA270C8A57a8abA5," blockchain security firm PeckShield said in a post on X, having first identified the breach on May 11.
The exploit was isolated to an older, inactive version of a Transit Swap smart contract that was deprecated after 2022. Transit Finance confirmed the vulnerability on May 12, stating the current protocol is secure and that no action is required from affected users for compensation. The stolen funds represent a fraction of the more than $600 million lost to DeFi exploits in April, a month dominated by the $293 million Kelp DAO and $280 million Drift Protocol hacks, according to industry security reports.
The event highlights the persistent risk of legacy code in the DeFi sector, where old smart contracts can remain vulnerable targets even after being officially decommissioned. While the promise of full compensation may placate users, it serves as a costly reminder of smart contract security liabilities. This incident follows a much larger $28.9 million exploit that hit Transit Finance in October 2022, which was caused by an improper input validation flaw in its swap mechanism. A portion of those funds was later recovered.
This article is for informational purposes only and does not constitute investment advice.
