Transit Finance, the cross-chain swap aggregator behind Transit Swap, has confirmed a security breach that drained approximately $1.88 million in DAI from an outdated smart contract on the TRON blockchain. Blockchain security firm PeckShield first detected the exploit on May 11, tracking the stolen funds to a single wallet. The company moved quickly, completing security reviews and recovery measures by May 12, and has publicly committed to fully reimbursing all affected users without requiring any action on their part.
The vulnerability existed in a deprecated version of the protocol’s smart contract that had been inactive since 2022. Only a subset of users who had previously interacted with that legacy code were impacted. Transit Finance stressed that the current version remains secure and that no additional user steps are needed for compensation.
This incident adds to a brutal year for decentralized finance. Kelp DAO lost $293 million on April 19, while Drift Protocol suffered a $280 million exploit earlier in the month. Industry projections now estimate total DeFi exploit losses could reach $2.3 billion by the end of 2026. The repeated breaches have intensified calls for stronger audits and better monitoring.
Cybersecurity researchers also continue to flag the Lazarus Group, a North Korea-linked threat actor, as responsible for roughly 76% of crypto hack losses through April 2026, per a TRM Labs report. Transit Finance itself was previously hacked in October 2022 for $28.9 million, making this latest exploit a troubling reminder of persistent cross-chain vulnerabilities.
