Exploited LI.FI DeFi platform, more than 8 million dollars lost to attack

The decentralized finance (DeFi) platform LI.FI protocol has suffered an exploit exceeding $8 million.

Cyvers Alerts reported the detection of suspicious transactions within the LI.FI interchain transaction aggregator.

LI.FI issues warning after $8 million exploit

LI.FI confirmed the breach in a statement on July 16 via X: “Please do not interact with any apps with http://LI.FI at this time! We are investigating a possible exploit.” The team clarified that users who did not set infinite approval are not at risk, stressing that only those who manually set infinite approvals appear to be affected.

Please do not interact with any apps with https://t.co/nlZEnqOyQz for now!

We are investigating a possible exploit. If you didn’t set infinite approval, you’re not at risk.

Only users who have manually set infinite approvals appear to be affected.

Undo all…

— LI.FI (@lifiprotocol) July 16, 2024

According to Cyvers Alerts, more than $8 million in user funds, mostly stablecoins, have been stolen. According to on-chain data, the hacker’s wallet has 1,715 Ether (ETH) valued at $5.8 million and stablecoins USDC, USDT, and DAI.

🚨ALERT🚨@lifiprotocolOur system has detected suspicious transactions related to your https://t.co/3LzbDK99Ed

We recommend that users revoke their approvals for: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae

So far more than 8 million dollars have been drained from users and mostly from stablecoins!… pic.twitter.com/zsj9DZWnpU

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 16, 2024

Cyvers Alerts advised users to revoke relevant authorizations immediately, noting that the attacker is actively converting USDC and USDT to ETH.

Crypto security company Decurity provided information about the exploit, claiming it involves the LI.FI bridge. “The root cause is the possibility of an arbitrary call with user-controlled data via depositToGasZipERC20() on GasZipFacet, which was deployed 5 days ago,” Decurity explained to X.

“In general, the risks behind routers, cross-chain exchanges, etc. are about token approval. Raw native assets like (unwrapped) ETH are safe from these kinds of hacks, but they don’t have approvals as an option.Most users and wallets also no longer do “infinite approvals”, which gives a smart contract full control over the removal of any amount of its tokens witnesses you are approving with which contracts.

This dashboard searches all transactions of a user that intersects with Lifi. Not all of these transactions indicate risk, but you can see how, broadly speaking, integrations and layers of technology (like how Metamask bridge uses Lifi in BSC) can complicate how users put their assets at risk or not. Revoke Cash is the most popular approval manager app.

But it’s also good security practice to simply rotate your address. New addresses start with 0 approvals, so starting over by moving your tokens to a new address is another good security practice.” – commented Carlos Mercado, Data Scientist at Flipside Crypto.

Recent Exploit Mirrors March 2022 Attack

Further analysis of the PeckShield alert revealed that the vulnerability is similar to a previous attack on the LI.FI protocol that occurred on March 20, 2022. This incident saw a bad actor exploit the intel contract LI.FI smart, specifically the exchange function, before bridging.

The attacker manipulated the system to call token contracts directly within the context of their contract, making users who had given infinite approval vulnerable. This exploit led to the theft of approximately 205 ETH from 29 wallets, affecting tokens such as USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT and DAI.

“The mistake is basically the same. Are we learning anything from the previous lessons?” PeckShield Alert said in a July 16 X post.

After the 2022 incident, LI.FI disabled all exchange methods in its smart contract and worked to develop a fix to prevent future vulnerabilities. However, the repetition of a similar exploit raises concerns about the platform’s security measures and whether adequate steps were taken to address the vulnerabilities identified in the previous breach.

LI.FI is a liquidity aggregation protocol that allows users to trade across different blockchains, sites and bridges.

SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).

2024 LIMITED OFFER on BYDFi Exchange – Up to $2888 Welcome Reward, Use this link to register and open a 100 USDT-M position for free!