PeckShield alert reveals LI.FI’s protocol vulnerability is similar to a March 2022 attack, with the same bug recurring.
The decentralized finance (DeFi) platform LI.FI protocol has suffered an exploit amounting to over $8 million.
Cyvers Alerts reported detecting suspicious transactions within the LI.FI cross-chain transaction aggregator.
LI.FI Issues Warning After $8 Million Exploit
LI.FI confirmed the breach in a statement on July 16 via X: “Please do not interact with any http://LI.FI powered applications for now! We’re investigating a potential exploit.” The team clarified that users who did not set infinite approval are not at risk, emphasizing that only those who manually set infinite approvals seem to be affected.
According to Cyvers Alerts, more than $8 million in user funds have been stolen, with the majority being stablecoins. According to on-chain data, the hacker’s wallet holds 1,715 Ether (ETH) valued at $5.8 million and USDC, USDT, and DAI stablecoins.
Cyvers Alerts advised users to revoke relevant authorizations immediately, noting that the attacker is actively converting USDC and USDT into ETH.
Crypto security firm Decurity provided insights into the exploit, stating that it involves the LI.FI bridge. “The root cause is a possibility of an arbitrary call with user-controlled data via depositToGasZipERC20() in GasZipFacet, which was deployed 5 days ago,” Decurity explained on X.
“In general, the risks behind routers, cross-chain swaps, etc. are about token approvals. Raw native assets like (unwrapped) ETH are safe from these kinds of hacks b/c they don’t have approvals as an option. Most users & wallets also no longer do “infinite approvals” which gives a smart contract total control on removing any amount of their tokens. It’s important to understand which tokens you’re approving to which contracts.
This dashboard looks for all transactions of a user that intersects Lifi. Not all of these transactions indicate risk- but you can see how, broadly, integrations & layers of tech (like how Metamask bridge uses Lifi on BSC) can complicate how users do or don’t put their assets at risk. Revoke Cash is the most well known approval manager app.
But it’s also good security practice to simply rotate your address. New addresses start with 0 approvals, so starting fresh by moving your tokens to a fresh address is another good security practice.” – commented Carlos Mercado, Data Scientist at Flipside Crypto.
Recent Exploit Mirrors March 2022 Attack
Further analysis by PeckShield alert revealed that the vulnerability is similar to a previous attack on LI.FI’s protocol that occurred on March 20, 2022. That incident saw a bad actor exploit LI.FI’s smart contract, specifically the swapping feature, before bridging.
The attacker manipulated the system to call token contracts directly within their contract’s context, making users who had given infinite approval vulnerable. This exploit resulted in the theft of approximately 205 ETH from 29 wallets, affecting tokens such as USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI.
“The bug is basically the same. Are we learning anything from the past lesson(s)?” PeckShield Alert said in a July 16 X post.
Following the 2022 incident, LI.FI disabled all swap methods in its smart contract and worked on developing a fix to prevent future vulnerabilities. However, the recurrence of a similar exploit raises concerns about the platform’s security measures and whether adequate steps were taken to address the vulnerabilities identified in the previous breach.
LI.FI is a liquidity aggregation protocol that allows users to trade across various blockchains, venues, and bridges.