Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Decentralized cross-chain aggregation protocol Transit Finance suffered an exploit on its deprecated (2022-era) TRON smart contract, resulting in approximately $1.88 million in DAI being drained. The stolen funds were transferred to an Ethereum address. The team confirmed it was isolated to legacy code, stated that current contracts are secure, completed remediation on May 12, and promised full user compensation. They sent an on-chain message to the attacker offering a bug bounty for return within 48 hours, or they would pursue legal action. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 1,880,000.
- chain
- ethereum
- protocol
- Transit Finance
- bug_class
- logic
- date_occurred
- 2026-05-13
- loss_usd
- $1,880,000
- source_id
- sm:transit-finance::2026-05-13