A smart contract vulnerability at the Li Finance swap aggregator resulted in the loss of around $600,000 from the wallets of 29 users. The incident occurred on March 20. The hacker was able to steal varied quantities of ten distinct tokens from wallets that had granted the Li Finance protocol “unlimited permission.” USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI were among the stolen tokens (DAI).
• ~$600K have been stolen from 29 wallets
• User don’t have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs
— LI.FI – Any-2-Any Swaps (🦎,🦎) (@lifiprotocol) March 21, 2022
The team discovered the vulnerability 12 hours later, and shut down all swapping operations on the platform to avoid further losses. On March 21, the team produced a postmortem outlining the exploit’s occurrences. According to the team, the hacker exchanged the stolen tokens for a total of around 205 ether (ETH) worth over $600,000. The stolen ETH had not yet been transferred from the hacker’s wallet. LiFi also informed users that the fault had been discovered and fixed.
Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. pic.twitter.com/NA3xW7ReUd
— Daniel Von Fange (@danielvf) March 20, 2022
25 of the 29 wallets targeted in this assault have been repaid for their losses with treasury money. Those 25 wallets accounted for only $80,000, or 13% of the total value lost. The owners of the other four wallets, which lost a total of $517,000, have been contacted and given a solution to recompense them by honouring their losses as protocol angel investors.
They would get LiFi tokens in an amount equal to their losses from each wallet, under the same terms as regular angel investors. This would also help to lessen the platform’s treasury impact. The hacker was also contacted and promised a bug reward in exchange for the money being returned.
The incident looks to have occurred at an inconvenient time. On March 21, Li Finance CEO Philipp Zentner stated that we’re literally a week away from our audit, adding, we have many organisations assessing us.
According to “Transmissions11,” a researcher with crypto investment firm Paradigm, even a comprehensive examination of the code may have missed this particular problem.
This is the newest attack in the decentralised finance (DeFi) industry, which highlights how providing smart contracts with endless approvals exposes a user’s cash to greater danger. Users with infinite approvals can switch currencies at a decentralised exchange (DEX) an unlimited number of times without needing to approve any more transactions.
- Asgard develops a DAO to unite metaverse, decentralised finance (DeFi), and NFTs
- A hacker steals USD 3 million in DAI and ETH from DeFi Protocol Deus Finance