The Li finance protocol suffered a $600,000 loss in the latest Defi exploits with some of the funds being reimbursed after the hacker exploited a bug in the smart contract of the project so let’s read more in today’s latest altcoin news.
The Li Finance swap aggregator experienced a smart contract exploit which led to a loss of $600,000 from 29 of the users’ wallets. The exploit took place at 2.51 am UTC on March 20 and the attacker was able to extract varying amounts of 10 different tokens from the wallets and gave an infinite approval to the Li Finance Protocol. Among the stolen tokens were Polygon, USD Coin, Rocket Pool, Gnosis, Tether, Audius, Metaverse Index, Jarvis Reward token, and DAI.
• ~$600K have been stolen from 29 wallets
• User don’t have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs
— LI.FI – Any-2-Any Swaps (,) (@lifiprotocol) March 21, 2022
When the team learned about the exploit, it shut down the swapping functions in order to prevent further losses. The team issued a post mortem detailing the events of the exploit and the team noted that the attacker swapped the stolen tokens for 205 ETH valued at $600,000. At the time of writing, the stolen coins had yet to be moved from the wallet and LiFi also assured the users that that bug has been identified and patched.
Of the 29 wallets hit, 25 of them have been reimbursed from the treasury funds for their losses and about 25 of them accounted for $80,000 or 13% of the total value lost. The owners of the wallets that lost $517,000 in total have been contacted and offered a deal to compensate them by honoring the losses as angel investors in the protocol. They will receive LiFi tokens under the same terms as other investors equal to their losses which will mitigate the damage of the platform’s treasury. The hacker contacted and offered a bug bounty to return the funds.
Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. pic.twitter.com/NA3xW7ReUd
— Daniel Von Fange (@danielvf) March 20, 2022
The attack seems to have come at an unfortunate time as the CEO Philipp Zenter said:
“We’re literally a week away from our audit,” adding that “we have multiple companies auditing us.”
However, even a thorough audit of the code could now have picked up the bug, according to a researcher at Paradigm, he explained that the error in Li finance’s code was easy to miss and it was quite subtle if you are not in the right mindset. The latest hack in the DEFI space shows only how giving infinite approvals to smart contracts opens the user’s funds to a bigger risk and the infinite approvals allow the users to swap coins to a DEX with unlimited amounts of time without having to approve more transactions.