Crosschain Protocol LI.FI loses nearly $10 million in Exploit
Cross-chain protocol LI.FI has been exploited for roughly $10 million in cryptocurrencies following a series of suspicious withdrawals as of the time of writing.
A smart contract exploit earlier today has been contained and the affected smart contract facet disabled.
— LI.FI (@lifiprotocol) July 16, 2024
There is currently no further risk to users.
The only wallets affected were set to infinite approvals, and represented only a very small number of users.
We are engaging…
#CertiKInsight 🚨
— CertiK Alert (@CertiKAlert) July 16, 2024
Our alerting system has flagged multiple suspicious transactions involving EOA 0x8B3Cb6Bf982798fba233Bca56749e22EEc42DcF3
The wallet is currently holding $8.7m worth of assets
We are currently investigating pic.twitter.com/15OXsHeT9Y
The team posted on social media platform X (formerly known as Twitter) that they were investigating a possible hack that is believed to affect users who manually set certain features, such as infinite approvals.
The LI.FI team said that users should not interact with any LI.FI powered applications at this time, as they are looking into a possible exploit. You are not at risk if you do not set infinite approval, the post added.
In addition, users were strongly advised to utilize the LI.FI private revoke website for now, as the team had also identified four more security breaches. Users can visit the website (scan.li.fi) to check if they might be implicated as a result of the exploit and use revoke.cash to revoke permissions.
The "root cause" seems to be "an arbitrary call with user-controlled data '' to a gas contract that was implemented five days ago to pay Ethereum blockchain fees, according to security firm Decurity. According to a post on X researchers at the security firm, Decurity wrote that the hacker created unique calldata using transferFrom() calls and passed it as swapData to depositToGasZipERC20 to steal authorized tokens from the bridge.
According to DeFi World data, a wallet with depleted funds is in possession of almost $200,000 in DAI stablecoins and over $4 million in ETH. That sum is probably a rough estimate because it also seems like USDT and USDC stablecoins are being removed from the platform, the post added.
The entire loss, according to security firm Certik, could be as high as $9 million.
Furthermore, blockchain research firm Cyvers claims in a warning tweet that the systems of the team detected shady Li.Fi transactions involving a particular contract address. Over $8 million was stolen by the hacker, primarily on stablecoins, and some of the stolen Tether (USDT) and USD Coin (USDC) have been converted to Ethereum (ETH), it tweeted in a post.
After 31 minutes, Cyvers posted another tweet stating that about $10 million worth of cryptocurrency holdings have been drained across different chains and that the Arbitrum blockchain is currently being affected as well.
A vulnerability in the smart contract of the LI.FI protocol was exploited by an unidentified attacker in March 2022, resulting in the loss of $600,000 worth of various tokens. The post-mortem update from the LI.FI team showed that the attacker had complete control over the pre-bridge swap feature due to a vulnerability in the swapping feature of the LI.FI smart contract.
Disclaimer: This information should not be considered financial advice by any means. Please do your own research before making any investment decisions. The views in the articles are personal opinions only. Whale Insider is not responsible for any financial losses incurred.