Abstract：The Li Finance DeFi swap aggregator was exploited for about $600,000 as users who gave infinite approvals for the DEX took the brunt of the damage. The team has reimbursed most users.
Brian Newar 6 minutes ago Li Finance protocol loses $600,000 in latest DEFI exploit
Li Finance (LiFi) protocol users suffered losses AMounting to around $600,000, some of tHEm have been reimbursed after a hacker exploited a bug in the projects smart contract.
The Li Finance SWAP aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users wallets.
The exploit took place at 2:51 am UTC on March 20. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), GNOsis (GNO), TETHer (USDT), Metaverse INDEX (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI (DAI).
TLDR:n• ~$600K have been stolen from 29 walletsn• User dont have to do ANYthingn• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs
— LI.FI - Any-2-Any Swaps (,) (@lifiprotocol) March 21, 2022
When the team learned about the exploit 12 hours later at 2:15 pm UTC, it shut down all swapping functions on the platFORm in order to prevent any further losses.
By 2:50 am UTC on March 21, the team had issued a post mortem detailing the events of the exploit. The team said that the attacker swapped the stolen tokens for a total of about 205 Ether (ETH) VALUEd at roughly $600,000. At the TIME of writing, the stolen ETH had yet to be moved from the attackers wallet. LiFi also assured users that the bug has been identified and patched.
Todays LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. pic.twitter.com/NA3xW7ReUd
— Daniel Von Fange (@danielvf) March 20, 2022
Of the 29 wallets that were hit in this attack, 25 have been reimbursed from treasury funds for their losses. Those 25 wallets only accounted for $80,000, or 13% of the total value lost. The owners of the remaining four wallets that lost a combined $517,000 have been contacted and offered a deal to compensate them by honoring their losses as angel investors in the protocol.
They would receive LiFi tokens under the same terms as other angel investors in an amount equal to their losses from each wallet. This would also help to mitigate the damage to the platforms treasury.
The hacker was also contacted and offered a bug bounty to return the funds.
The Li Finance team reached out to offer a bug bounty to a hacker.
The attack appears to have come at an unfortunate time. Li Finance CEO Philipp Zentner told Cointelegraph on March 21 that “Were literally a week away from our audit,” adding that “we have multiple companies auditing us.”
However, even a thorough audit of the code may not have picked up this particular bug, according to a researcher “Transmissions11” at crypto investment firm Paradigm. He explained in a March 21 tweet that the error in Li Finance‘s code is EASY to miss and “subtle if you’re not in the right mindset.”
Related: ‘Unlucky:’ Agave and Hundred Finance DeFi protocols exploited for $11M
This latest hack in the decentralized finance (DeFi) sector demonstrates how giving infinite approvals to smart contracts opens a users funds to a greater amount of risk. Infinite approvals allow users to swap coins at a decentralized exchange (DEX) an unlimited amount of times without needing to approve any more transactions.
WikiBit 2023-05-31 16:26
WikiBit 2023-06-02 12:19
WikiBit 2023-05-31 16:27
WikiBit 2023-05-31 11:58
WikiBit 2023-06-01 15:00
WikiBit 2023-06-02 14:30
WikiBit 2023-05-31 18:20
WikiBit 2023-06-01 14:59
WikiBit 2023-06-02 14:31
WikiBit 2023-06-02 14:31