Li Finance (LiFi) protocol is the latest decentralized finance (DeFi) platform to fall victim to hackers. A loophole in LI.FI’s pre-bridge swap smart contract was exploited by the rogue actor, enabling him to steal varying amounts of USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI totaling $600k from 29 wallets, according to a March 21, 2022 blog post.
LI.FI Protocol Suffers $600k Heist
LI.Fi, a bridge aggregation protocol with decentralized exchange (DEX) connectivity, cross-chain data messaging capabilities, and more, has suffered a major attack, gifting $600,000 worth of digital assets to the hacker.
According to a blog post by the LI.FI team, an attacker exploited a vulnerability in the swapping feature of the LI FI smart contract at exactly 2:51 AM +UTC. The team says the hacker managed to gain total control over its pre-bridge swap feature and was able to make smart contract calls that transferred the tokens in users’ wallets to his, based on which token contracts users had previously given infinite approvals.
LI.FI wrote:
“On March 20, 2022, an attacker exploited LI.FI’s smart contract, specifically our swapping feature which allows us to perform swaps before bridging. Instead of actually swapping, they were able to call token contracts directly in the context of our contract. As a result of the exploit, anyone who gave infinite approval to our contract was vulnerable,”
In just one transaction, the team says the attacker was able to steal varying amounts of USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO) Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), Aave (AAVE), Jarvis Network (JRT), and Dai (DAI).
After the successful exploit, the attacker swapped the tokens into ether (ETH), but is yet to launder the stolen funds at the time of writing. LI.FI has contacted the hacker and is awaiting a response.
“LI.FI exploiter, we appreciate you pointing out the vulnerability in our contracts. We would like to discuss returning user funds and a potential bounty: [email protected],” wrote the team.
LI.FI Reimburses Users
Importantly, out of the 29 wallets affected by the heist, Li Finance says it has reimbursed 25 of them (86 percent), in the total amount of $80k, and it’s talking with the owners of the remaining four wallets (notional size ~ $517k) to transform the lost funds into an angel investment into the project, to reduce the damage to LI FI’s treasury.
The LI FI team says it has now located and fixed the vulnerability in its smart contracts, and regrets not taking the time to thoroughly audit the platform before going live.
“By not finishing an audit earlier, we neglected our duty to offer the highest security possible. Our mission is to maximize UX, and now we have painfully learned that our security measures must drastically improve to follow this ethos,” declared LI.FI.
In related news, on March 15, 2022, reports emerged that DeFi protocol Deus Finance had suffered a flash loan attack that enabled the hackers to steal over $3 million in crypto. And on March 18, crypto.news reported that Agave and Hundred Finance lost $11 million to hackers via a reentrancy bug exploit.