LI.FI Crypto Aggregator Suffers $12 Million Drain
This article comes to you with the generous support of Betplay.io. Discover the excitement and rewards that await you at Betplay.io with a 100% welcome bonus and 10% weekly cashback!
Li.Fi Protocol Suffers Significant Hack
Cross-chain DeFi protocol Li.Fi has been exploited, resulting in a substantial loss of cryptocurrency estimated at $12 million, affecting approximately 153 wallets. The breach primarily affected users who had set "infinite approvals" on their accounts.
The attack exploited a vulnerability in the depositToGasZipERC20() function of the Li.Fi bridge, allowing a hacker to withdraw approved tokens through a method known as "call injection." This flaw, introduced only five days before the attack, enabled the hacker to manipulate user-controlled data to execute unauthorized transactions, resulting in the theft of approximately $6 million in Ethereum (ETH) and various stablecoins including USDC, USDT, and DAI.
The Li.Fi team quickly responded on social media, urging users to avoid interacting with any Li.Fi-powered applications and to use a secluded revoke website to revoke permissions immediately. Security firm Decurity identified the root cause as an arbitrary call vulnerability in the depositToGasZipERC20() function.
The team discovered four additional security breaches following the initial exploit. Users were advised to use revoke.cash to check and revoke any compromised permissions. Blockchain security firms CertiK and Peckshield provided ongoing analysis and updates.
This incident echoes a similar exploit in 2022, where a bug in the swapping feature led to $600,000 in losses. Peckshield noted that the recent hack involved the same vulnerability as the previous one, emphasizing the manipulation of the depositToGasZipERC20() function.
The 2022 LI.FI protocol hack resulted in $600,000 stolen from 29 wallets. According to the team in a post-mortem report, the bug was fixed, and all affected users were reimbursed.
A wallet containing drained funds used to control over $5.8 million in ETH and substantial stablecoins, but then sent the funds out to different addresses until its balance dropped to zero. Li.Fi has assured users that the exploit is contained and funds are no longer at risk, while they continue their investigation and work on additional security measures to prevent future breaches.
In a report published Thursday, LI.FI attributed the exploit to "an individual human error in overseeing the deployment process" during a smart contract update. The team acknowledged that the error left the protocol vulnerable to malicious actors.
Despite the breach, LI.FI's team acted swiftly, activating an "incident response plan" to contain the threat. They successfully disabled the vulnerable facet across all chains, preventing further unauthorized access. The team is actively working with law enforcement and security firms to recover user funds.
Conclusion
The Li.Fi crypto aggregator hack highlights the ongoing security challenges in DeFi. With millions lost due to a vulnerability, it underscores the importance of robust security measures and regular audits. Users are reminded to remain vigilant, revoke unnecessary permissions, and stay informed about potential risks in the evolving crypto landscape.
FAQs
1: What caused the Li.Fi protocol hack?
The hack exploited a vulnerability in the depositToGasZipERC20() function. This flaw allowed the hacker to manipulate user-controlled data, executing unauthorized transactions. The vulnerability was introduced just five days before the attack.
2: How much cryptocurrency was stolen in the Li.Fi hack?
The estimated loss ranges from $9 million to $11 million. Approximately $6 million in Ethereum (ETH) and various stablecoins including USDC, USDT, and DAI were stolen. The hacker's wallet now controls over $5.8 million in ETH and substantial stablecoins.
3: What should Li.Fi users do to protect themselves?
Users should avoid interacting with Li.Fi-powered applications for now. They should use revoke.cash to check and revoke any compromised permissions immediately. Li.Fi has assured users that the exploit is contained and funds are no longer at risk.
4: Has Li.Fi experienced similar security issues before?
Yes, Li.Fi suffered a similar exploit in 2022. That incident involved a bug in the swapping feature, leading to $600,000 in losses. The recent hack involved the same vulnerability as the previous one, emphasizing the need for improved security measures.
This article has been refined and enhanced by ChatGPT.