Users of the Li Finance (LiFi) protocol lost roughly $600,000, however some of them have been compensated when a hacker exploited a flaw in the project’s smart contract.

A smart contract vulnerability at the Li Finance swap aggregator resulted in the theft of about $600,000 from 29 users’ wallets.

On March 20, at 2:51 a.m. UTC, an exploit was discovered. From wallets that had provided “unlimited approval” to the Li Finance protocol, the attacker was able to extract variable quantities of 10 different tokens. USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI were among the tokens that were stolen (DAI).

The team discovered the exploit 12 hours later, at 2:15 p.m. UTC, and immediately disabled all switching features on the platform to prevent any future losses.

On March 21, at 2:50 a.m. UTC, the team released a post mortem documenting the exploit’s occurrences. According to the team, the attacker exchanged the stolen tokens for a total of 205 Ether (ETH) worth around $600,000. The stolen ETH had yet to be moved from the attacker’s wallet at the time of writing.

The flaw has also been detected and addressed, according to Li Finance

25 of the 29 wallets that were targeted in this attack have had their losses repaid from treasury funds. Only $80,000, or 13% of the entire value, was stolen from those 25 wallets. The owners of the remaining four wallets, which collectively lost $517,000, have been approached and given a contract to reimburse them for their losses as angel investors in the protocol.

They would receive LiFi tokens in an amount equal to their losses from each wallet, on the same terms as regular angel investors. This would also assist to prevent the platform’s treasury from being harmed.

The hacker was also contacted and a bug bounty was promised in exchange for the money

The attack looks to have occurred at a bad time. “We’re literally a week away from our audit,” Li Finance CEO Philipp Zentner told Cointelegraph on March 21. “We have various companies auditing us.”

According to “Transmissions11,” a researcher with crypto investment firm Paradigm, even a comprehensive examination of the code may not have picked up this particular problem. In a March 21 tweet, he highlighted that the problem in Li Finance’s code is “subtle if you’re not in the appropriate mentality.”

This newest attack in the decentralized finance (DeFi) sector highlights how providing smart contracts endless approvals exposes a user’s funds to more risk. Users with infinite approvals can transfer currencies as many times as they like on a decentralized exchange (DEX) without having to approve any more transactions.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Annie

CoinCu News

DeFi Hack

Hacker

Li Finance

LiFi

Author

Annie

Championing positive change through finance, I've dedicated over eight years to sustainability and environmental journalism. My passion lies in uncovering companies that make a real difference in the world and guiding investors towards them. My expertise lies in navigating the world of sustainable investing, analyzing ESG (Environmental, Social, and Governance) criteria, and exploring the exciting field of impact investing. "Invest in a better future," I often say. That's the driving force behind my work at Coincu – to empower readers with knowledge and insights to make investment decisions that create a positive impact.

Related Posts

• Binance Proof of Reserves Shows $120B in Assets Across 34 Tokens
• Crypto PAC Fairshake Is Now Seeing Several Candidates Lose
• Bitcoin Spot ETF Inflows Reach $255M As Ethereum Sees Outflow
• Ethereum Layer2 TVL Surges to $43.9B with Impressive 3.76% Growth
• Bitcoin Spot ETF Inflows Reach $796M On November 20
• Bitcoin Price Surges to $80,000 Amid Trump-Driven Optimism
• Ethereum Whale Sells 15,000 ETH Worth $39.38M on Kraken
• Trump’s Return Could Bring Crypto-Friendly SEC and Banking Committee

News

In The Most Recent DeFi Hack, The Li Finance Protocol Loses $600,000

Users of the Li Finance (LiFi) protocol lost roughly $600,000, however some of them have been compensated when a hacker exploited a flaw in the project’s smart contract.

A smart contract vulnerability at the Li Finance swap aggregator resulted in the theft of about $600,000 from 29 users’ wallets.

On March 20, at 2:51 a.m. UTC, an exploit was discovered. From wallets that had provided “unlimited approval” to the Li Finance protocol, the attacker was able to extract variable quantities of 10 different tokens. USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI were among the tokens that were stolen (DAI).

TLDR:

• ~$600K have been stolen from 29 wallets
• User don’t have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs

— LI.FI (@lifiprotocol) March 21, 2022

The team discovered the exploit 12 hours later, at 2:15 p.m. UTC, and immediately disabled all switching features on the platform to prevent any future losses.

On March 21, at 2:50 a.m. UTC, the team released a post mortem documenting the exploit’s occurrences. According to the team, the attacker exchanged the stolen tokens for a total of 205 Ether (ETH) worth around $600,000. The stolen ETH had yet to be moved from the attacker’s wallet at the time of writing.

The flaw has also been detected and addressed, according to Li Finance

Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. pic.twitter.com/NA3xW7ReUd

— Daniel Von Fange (@danielvf) March 20, 2022

25 of the 29 wallets that were targeted in this attack have had their losses repaid from treasury funds. Only $80,000, or 13% of the entire value, was stolen from those 25 wallets. The owners of the remaining four wallets, which collectively lost $517,000, have been approached and given a contract to reimburse them for their losses as angel investors in the protocol.

They would receive LiFi tokens in an amount equal to their losses from each wallet, on the same terms as regular angel investors. This would also assist to prevent the platform’s treasury from being harmed.

The hacker was also contacted and a bug bounty was promised in exchange for the money

The attack looks to have occurred at a bad time. “We’re literally a week away from our audit,” Li Finance CEO Philipp Zentner told Cointelegraph on March 21. “We have various companies auditing us.”

According to “Transmissions11,” a researcher with crypto investment firm Paradigm, even a comprehensive examination of the code may not have picked up this particular problem. In a March 21 tweet, he highlighted that the problem in Li Finance’s code is “subtle if you’re not in the appropriate mentality.”

This newest attack in the decentralized finance (DeFi) sector highlights how providing smart contracts endless approvals exposes a user’s funds to more risk. Users with infinite approvals can transfer currencies as many times as they like on a decentralized exchange (DEX) without having to approve any more transactions.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Annie

CoinCu News

Other Posts

Related Posts

[tptn_list limit="8" title_length="0" heading="0" show_date="0" daily="1"]