DeFi
DeFi Platform LI.FI Exploited, Over $8 Million Lost in Attack
Decentralized finance (DeFi) platform LI.FI protocol has suffered an exploit worth over $8 million.
Cyvers Alerts has reported the detection of suspicious transactions within the cross-chain transaction aggregator LI.FI.
LI.FI issues warning after $8 million exploitation
LI.FI confirmed the flaw in a statement on July 16 via X: “Please do not interact with applications running under http://LI.FI at this time! We are investigating a potential exploit.” The team clarified that users who have not set infinite trust are not at risk, noting that only those who manually set infinite trusts appear to be affected.
According to Cyvers Alerts, over $8 million in user funds were stolen, the majority of which were stablecoins. According to on-chain dataThe hacker’s wallet contains 1,715 Ether (ETH) worth $5.8 million and stablecoins USDC, USDT, and DAI.
Cyvers Alerts advised users to immediately revoke affected permissions, noting that the attacker is actively converting USDC and USDT to ETH.
Cryptographic security company Decurity provided Information about the exploit, indicating that it is the LI.FI bridge. “The root cause is the possibility of an arbitrary call with user-controlled data via depositToGasZipERC20() in GasZipFacet, which was deployed 5 days ago,” Decurity explained on X.
“Typically, the risks around routers, cross-chain swaps, etc. are around token approvals. Raw native assets like ETH (unwrapped) are immune to these kinds of hacks because they don’t have optional approvals. Most users and wallets also don’t do “infinite approvals” anymore, which gives a smart contract full control over removing any amount of its tokens. It’s important to understand which tokens you’re approving for which contracts.
This dashboard looks for all transactions from a user that cross Lifi. Not all of these transactions indicate risk, but you can see how, in general, integrations and layers of technology (like how the Metamask bridge uses Lifi on BSC) can complicate how users do or don’t put their assets at risk. Revoke Cash is the most well-known approval management application.
But it’s also a good idea to simply rotate your address. New addresses start with 0 approvals, so starting over by moving your tokens to a new address is another good security practice,” commented Carlos Mercado, Data Scientist at Flipside Crypto.
Recent exploit mirrors March 2022 attack
Further analysis by PeckShield alert revealed that the vulnerability is similar to a previous attack on the LI.FI protocol that occurred on March 20, 2022. That incident saw a bad actor exploit LI.FI’s smart contract, specifically the swap function, before creating a bridge.
The attacker manipulated The system allows token contracts to be called directly in the context of their contract, leaving users who had given infinite approval vulnerable. This exploit resulted in the theft of approximately 205 ETH from 29 wallets, affecting tokens such as USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI.
“The bug is fundamentally the same. Have we learned anything from past lessons?” PeckShield Alert said in a July 16 X-rated post.
Following the 2022 incident, LI.FI disabled all exchange methods in its smart contract and worked on developing a patch to prevent future vulnerabilities. However, the recurrence of a similar exploit raises concerns about the platform’s security measures and whether adequate measures have been taken to address the vulnerabilities identified in the previous breach.
LI.FI is a liquidity aggregation protocol that allows users to trade across different blockchains, venues, and bridges.