Li Finance protocol loses $600,000 in latest DeFi exploit

Published at: March 21, 2022

The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets.

The exploit took place at 2:51 am UTC on March 20. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI (DAI).

TLDR:• ~$600K have been stolen from 29 wallets• User don’t have to do anything• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs

— LI.FI - Any-2-Any Swaps (,) (@lifiprotocol) March 21, 2022

When the team learned about the exploit 12 hours later at 2:15 pm UTC, it shut down all swapping functions on the platform in order to prevent any further losses.

By 2:50 am UTC on March 21, the team had issued a post mortem detailing the events of the exploit. The team said that the attacker swapped the stolen tokens for a total of about 205 Ether (ETH) valued at roughly $600,000. At the time of writing, the stolen ETH had yet to be moved from the attacker’s wallet. LiFi also assured users that the bug has been identified and patched.

Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. pic.twitter.com/NA3xW7ReUd

— Daniel Von Fange (@danielvf) March 20, 2022

Of the 29 wallets that were hit in this attack, 25 have been reimbursed from treasury funds for their losses. Those 25 wallets only accounted for $80,000, or 13% of the total value lost. The owners of the remaining four wallets that lost a combined $517,000 have been contacted and offered a deal to compensate them by honoring their losses as angel investors in the protocol.

They would receive LiFi tokens under the same terms as other angel investors in an amount equal to their losses from each wallet. This would also help to mitigate the damage to the platform’s treasury.

The hacker was also contacted and offered a bug bounty to return the funds.

The attack appears to have come at an unfortunate time. Li Finance CEO Philipp Zentner told Cointelegraph on March 21 that “We’re literally a week away from our audit,” adding that “we have multiple companies auditing us.”

However, even a thorough audit of the code may not have picked up this particular bug, according to a researcher “Transmissions11” at crypto investment firm Paradigm. He explained in a March 21 tweet that the error in Li Finance’s code is easy to miss and “subtle if you’re not in the right mindset.”

Related: ‘Unlucky:’ Agave and Hundred Finance DeFi protocols exploited for $11M

This latest hack in the decentralized finance (DeFi) sector demonstrates how giving infinite approvals to smart contracts opens a user’s funds to a greater amount of risk. Infinite approvals allow users to swap coins at a decentralized exchange (DEX) an unlimited amount of times without needing to approve any more transactions.

Tags
Defi
Hacks
Dex
Security
Related Posts
ImmuneFi report $10B in DeFi hacks and losses across 2021
Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year. Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitating seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises. According to the report, …
Decentralization / Jan. 7, 2022
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022
Developers need to stop crypto hackers — or face regulation in 2023
Third-party data breaches have exploded. The problem? Companies, including cryptocurrency exchanges, don’t know how to protect against them. When exchanges sign new vendors, most just innately expect that their vendors employ the same level of scrutiny as they do. Others don’t consider it at all. In today’s age, it isn’t just a good practice to test for vulnerabilities down the supply chain — it is absolutely necessary. Many exchanges are backed by international financiers and those new to financial technologies. Many are even new to technology altogether, instead backed by venture capitalists looking to get their feet wet in a …
Bitcoin Regulation / Nov. 3, 2022
CoW Swap hacker milks over 550 BNB using 'solver' exploit
Decentralized exchange (DEX) protocol CoW Swap recently suffered an attack, losing at least 550 BNB (BNB) in a contract exploit that approved fund transfers from the protocol. Blockchain surveyor MevRefund flagged the event and detected that the funds seemed to be moving away from CoW Swap. The MEV searcher warned the DEX and its users of the exploit in a Twitter thread. @CoWSwap your funds appear to be moooving away ...https://t.co/li1NkXNeUp — MevRefund (@MevRefund) February 7, 2023 According to the Smart contract auditing firm BlockSec, a wallet address was added as a “solver” of CoW Swap by a multisig. Then, …
Defi / Feb. 7, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023