DeFi
DeFi Protocol Li.Fi Hit With $11 Million Hack Due To Smart Contract Exploit
Full summary
- DeFi protocol Li.Fi was hacked for around $11 million in Ethereum and stablecoins.
- The exploit targeted users who had manually set infinite approvals on their accounts.
- Li.Fi has contained the exploit and says users are no longer at risk.
- The attack may have exploited a vulnerability in the Li.Fi bridge.
- This isn’t the first security issue for Li.Fi, which lost $600,000 in an incident in 2022.
On July 16, 2024, the cross-chain decentralized finance (DeFi) protocol Li.Fi suffered a major security breach. Hackers managed to exploit a vulnerability in the system, resulting in the loss of approximately $11 million in cryptocurrency.
The stolen funds consisted primarily of Ethereum (ETH) and various stablecoins, including USDC, USDT, and DAI. Blockchain security firm CertiK initially reported a loss of nearly $9 million, but Li.Fi later confirmed to Decrypt that the total amount stolen was closer to $11 million.
🚨ALERT🚨@lifiprotocolOur system has detected suspicious transactions involving your https://t.co/3LzbDK99Ed
We recommend users revoke their approvals for: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
More than $8 million has been drained so far from users and mainly from stablecoins!… pic.twitter.com/zsj9DZWnpU
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 16, 2024
Li.Fi, which allows users to trade across different blockchains, platforms, and bridges, quickly responded to the incident. The protocol team announced on social media platform X (formerly Twitter) that it was investigating a potential exploit and urged users not to interact with applications powered by Li.Fi until further notice.
According to Li.Fi, the exploit appears to have targeted users who had manually adjusted their account settings to allow “infinite approvals.” This setting essentially gives a smart contract unlimited access to a user’s funds, which can be risky if the contract is compromised.
A smart contract exploit earlier today has been contained and the affected smart contract facet has been disabled.
There is currently no additional risk to users.
The only wallets affected were set to infinite approvals and had very small numbers of users.
We commit ourselves…
— LI.FI (@lifiprotocol) July 16, 2024
Crypto security firm Decurity suggested that the root cause of the exploit was likely a vulnerability in the Li.Fi bridge. They pointed to a specific function in a smart contract that was deployed just five days before the attack, which allowed “an arbitrary call with user-controlled data.”
https://t.co/k9LgVmliv7 The bridge was operated for ~8M USD.
The root cause is the possibility of an arbitrary call with user-controlled data via `depositToGasZipERC20()` in GasZipFacet which was deployed 5 days ago!
One of the txs hack: https://t.co/ILPFpZnJH8 pic.twitter.com/qpTmyFnCx8
— Decurity (@DecurityHQ) July 16, 2024
Li.Fi has since contained the exploit and disabled the affected smart contract facet. The protocol assured users that there was currently no additional risk, noting that only a small number of users who had set infinite approvals were affected.
In response to the incident, Li.Fi advised users to immediately use their “isolated revocation website” and provided a list of specific addresses that should be revoked. They also recommended users visit scan.li.fi to check if their accounts have been compromised.
This isn’t the first time Li.Fi has faced security issues. In 2022, a bug in the protocol’s exchange function led to losses of $600,000 in cryptocurrency. The recurring nature of these incidents highlights the ongoing security challenges facing DeFi protocols.
Li.Fi hack contributes to increase in cryptocurrency thefts in 2024. According to a report from blockchain intelligence firm TRM Labs, hackers stole more than twice as much cryptocurrency in the first half of 2024 compared to the same period in 2023.
The total value of cryptocurrency thefts reached $1.38 billion as of June 24, 2024, almost as much as the $1.7 billion stolen in all of 2023.
The Li.Fi team said it is working with law enforcement authorities and relevant third parties, including industry security teams, to recover the stolen funds. It promised to release a more detailed post-mortem analysis of the incident as soon as possible.