TLDR
- A breach in the security of DeFi protocol Li.Fi allowed attackers to seize around $11 million in Ethereum and stablecoin assets.
- Targets of this exploit had chosen to set endless approval permissions on their financial accounts, making them vulnerable.
- Li.Fi reports that they've managed to contain the exploit, reassuring users that their platform is now secure.
- The breach may have occurred due to a fragility found within the Li.Fi bridge, speculating a possible technical flaw.
- Security issues aren't new to Li.Fi; they suffered a $600,000 loss from a similar flaw discovered in 2022.
On July 16, 2024, the cross-chain decentralized finance platform, Li.Fi, faced a notable security breach. Li.Fi This significant breach led to the unauthorized withdrawal of roughly $11 million in various digital currencies from their ecosystem.
The stolen assets predominantly included Ethereum alongside several stablecoins such as USDC, USDT, and DAI. CertiK, a blockchain security firm, initially estimated the loss to be nearly $9 million. However, Li.Fi later confirmed the amount soared closer to $11 million. confirmed to Decrypt Our alert systems have flagged transactions that may indicate security issues with your account.
🚨ALERT🚨 @lifiprotocol It is advisable for users to cancel any permissions for the address: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae https://t.co/3LzbDK99Ed
Thus far, over $8 million has been extracted, predominantly in stablecoins, affecting numerous users.
Li.Fi, which facilitates trades across numerous blockchains and platforms, swiftly addressed the exploit. Taking to X, the platform formerly known as Twitter, the Li.Fi team communicated their efforts to investigate the potential breach and advised users to refrain from utilizing Li.Fi-connected applications until further updates are provided. pic.twitter.com/zsj9DZWnpU
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 16, 2024
Li.Fi identified that the exploit specifically targeted users who had altered their settings to permit 'infinite approvals', a status that essentially gives unrestricted access to funds within a smart contract.
Earlier today, Li.Fi contained a smart contract exploit and has since deactivated the compromised elements of their system.
There seems to be no current threat to other users' accounts.
Only the accounts set with limitless approvals were compromised, representing a minor faction of all users.
Cybersecurity firm Decurity pointed out that the potential cause was entrenched in a vulnerability within the Li.Fi bridge. This was associated with a smart contract feature introduced merely five days before the breach, enabling ‘arbitrary calls with user-controlled data’.
We are engaging…
— LI.FI (@lifiprotocol) July 16, 2024
The cause appears to be linked to the functionality `depositToGasZipERC20()` within GasZipFacet, which was deployed just five days ago and permits ‘arbitrary call with user-controlled data’.
https://t.co/k9LgVmliv7 bridge was exploited for 8M USD.
Li.Fi has neutralized the vulnerability and disabled the impacted smart contract segment, assuring users there's no longer any risk. They highlighted that a limited number of users with infinite approvals were affected.
One of hack txs: https://t.co/ILPFpZnJH8 pic.twitter.com/qpTmyFnCx8
— Decurity (@DecurityHQ) July 16, 2024
Following the breach, Li.Fi recommended that users swiftly utilize their 'secluded revoke website', providing specific addresses for revocation, and advised consultations with scan.li.fi to verify account status.
This incident continues a series of security challenges for Li.Fi, reminiscent of a 2022 occurrence when a flaw in their swapping feature led to $600,000 in cryptocurrency losses.
The Li.Fi breach adds to an increasing list of crypto thefts in 2024. According to TRM Labs, a blockchain intelligence firm, hackers have already stolen more cryptocurrency in the first half of 2024 than during the same period in 2023.
The financial impact of such crypto heists reached a staggering $1.38 billion by June 24, 2024, almost matching the $1.7 billion stolen throughout 2023.
In the wake of the Li.Fi attack, the team has engaged with law enforcement and relevant industry partners to track the stolen assets. A comprehensive analysis of the incident will be provided soon.
Having established Blockonomi and Kooc Media, a UK-based digital media entity, the Editor-in-Chief supports the philosophies of open-source software and blockchain technology for a transparent digital world.
