LI.FI DeFi Platform Exploited, Over $8 Million Lost to Attack
The decentralized finance (DeFi) platform LI.FI protocol has received more than $8 million in exploits.
Syverse Alerts has reported the discovery of suspicious transactions in the LI.FI cross-chain transaction aggregator.
LI.FI issued a warning after the exploitation of 8 million dollars
LI.FI confirmed the breach on July 16 in a statement via X: “Please do not connect to any powered apps for now! We are investigating a possible exploit.” The team stated that users who did not set up infinite approvals were not at risk, emphasizing that only those who manually set up infinite approvals appeared to be affected.
Please do not connect to any powered apps for now!
We are investigating a potential exploit. If you don't have an unlimited license, you're not at risk.
Only users who manually set infinite approvals appear to be affected.
Cancel all…
— LI.FI (@lifiprotocol) July 16, 2024
According to Cyber Alerts, more than $8 million of user funds have been stolen, most of which are stablecoins. According to chain data, the hacker's wallet contains 1,715 Ether (ETH) worth $5.8 million and USDC, USDT and DAI stablecoins.
🚨ALERT🚨@lifiprotocol, our system has detected suspicious transactions involving you.
For: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae We recommend that users revoke their approval.
So far over $8m has been thrown from users and the mostly stable coin!… pic.twitter.com/zsj9DZWnpU
— 🚨 CyversAlerts 🚨 (@CyversAlerts) July 16, 2024
Syvers Alerts noted that the attacker was converting USDC and USDT to ETH and recommended revoking the relevant permissions immediately.
Crypto security firm Decurity has provided insights into the exploit, stating that it involves the LI.FI bridge. “The root cause is an arbitrary access to user-controlled data in GasZipFacet, which was deployed 5 days ago,” Decurity explained on X.
“In general, risks behind routers, cross-chain changes, etc. are about token validation. Raw native assets like (uncapped) ETH are safe from such hacks b/c they don't have validation as an alternative. Most users and wallets don't either anymore.” They don't “bind” approvals, which gives a smart contract total control over which tokens are approved for which contracts.
This dashboard will track all the user's transactions that cross Lifi. Not all of these transactions represent risk – but overall, integration and technology layers (like how Metamask bridges Lifi over BSC) can see how users can complicate their assets with little or no risk. Revoke Cash is a popular approval manager app.
But simply turning your address around is a good security practice. New addresses start with 0 approvals, so moving your tokens to a new address and starting fresh is another good security practice. – Commented Carlos Mercado, data scientist at Flipside Crypto.
Latest mirrors March 2022 attack
Further analysis by PeckShield Alert reveals that the vulnerability is similar to a previous attack on the LI.FI protocol on March 20, 2022. That incident saw a bad actor exploiting LI.FI's smart contract, specifically the exchange feature, prior to its integration.
The attacker tricked the system into invoking consent agreements directly in the context of their contracts, leaving users who had granted unlimited permissions vulnerable. This exploit resulted in the theft of approximately 205 ETH from 29 wallets, affecting tokens such as USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT and DAI.
“Mistakes are essentially the same. Can we learn from the lesson(s) of the past?” PeckShield Alert said in a July 16 X post.
In the year Following the 2022 event, LI.FI disabled all exchange mechanisms in its smart contract and worked on developing a solution to prevent future exposures. However, the recurrence of similar exploits raises concerns about the platform's security measures and whether adequate measures have been taken to address the weaknesses identified in previous breaches.
LI.FI is a liquidity aggregation protocol that allows users to trade across multiple blockchains, venues and bridges.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive a $600 exclusive welcome bonus at Binance (full details).
LIMITED OFFER 2024 on BYDFi Exchange: Up to $2,888 Welcome Reward, use this link to register and open a 100 USDT-M position.