TLDR
- The LI.FI blockchain protocol faced a cyber incident resulting in a $11.6 million breach that impacted 153 wallets.
- A flaw in the recently updated smart contract facet enabled the exploit.
- The breach was blamed on an oversight during the smart contract deployment, which the company describes as a 'human error'.
- Among the stolen assets were major stablecoins USDC, USDT, and DAI.
- In response to the hack, LI.FI is actively working with legal authorities and cybersecurity experts to retrieve the funds and pledged to compensate the impacted users.
LI.FI, The well-known cross-chain blockchain protocol faced an unfortunate incident, losing nearly $11.6 million worth of cryptocurrencies. Affecting various wallets on Ethereum and Arbitrum networks, the incident, a consequence of human error, occurred during an update of a smart contract.
LI.FI, a service that facilitates trading across multiple blockchain networks, released an official report outlining the incident on Thursday. detailing the exploit.
As per the report, the incident was due to a newly added smart contract facet that failed to include essential validation checks, giving attackers the opportunity to bypass security.
The company mentioned, 'Once we identified the breach, our team quickly enacted the response plan, which involved shutting down the compromised facet on all chains, thus halting further unauthorized access.'
Post-mortem and next steps for @lifiprotocol partners and community: https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo
— LI.FI (@lifiprotocol) July 18, 2024
Wallets with unlimited token permissions were mainly affected by the breach, as this setting allows interaction with users' funds without needing repeated confirmations.
The attack resulted in the loss of stablecoins like USDC, USDT, and DAI. However, wallets using limited approvals, the default in their API, SDK, and widget, remained unaffected.
In their detailed analysis, LI.FI revealed that a 'single human error' in monitoring the deployment process was the root cause of the breach. This led to deploying a smart contract facet lacking necessary validation, exploited by attackers to access user funds.
This incident has heightened worries regarding security practices in the DeFi arena, coinciding with a rising trend of similar breaches, with losses surpassing $1 billion in digital assets during the first half of 2024 alone.
To address the breach, LI.FI has promptly advised users to revoke authorizations for the compromised addresses and is collaborating with both law enforcement and cybersecurity firms to possibly recover the stolen digital assets.
The team requested, 'Affected wallet holders, please fill out the provided form so we can contact you directly. Your support is crucial to us.'
LI.FI underscores recovery of user funds as its top priority. Supported by major investors, the organization is pursuing means to fully compensate affected users swiftly, aiming to lessen the incident's impact and uphold trust in their protocol.
Looking to prevent future occurrences, LI.FI has laid out a series of heightened security practices.
These involve conducting multiple audits, having an auditing firm available as needed, performing backend checks and vulnerability testing, implementing bug bounties, an incident response protocol, and thorough evaluation of third-party systems. All these steps align with recommendations from the National Institute of Standards and Technology (NIST).
