TLDR
- LI.FI, a cross-chain blockchain protocol, suffered a $11.6 million hack affecting 153 wallets
- The exploit was caused by a vulnerability in a newly deployed smart contract facet
- The company attributed the breach to “human error” in overseeing the deployment process
- Assets stolen included USDC, USDT, and DAI stablecoins
- LI.FI is working with law enforcement and security firms to recover funds and plans to compensate affected users
LI.FI, a popular cross-chain blockchain protocol, lost approximately $11.6 million in cryptocurrencies. The incident, which affected 153 wallets across the Ethereum and Arbitrum networks, has been attributed to human error during a smart contract update process.
LI.FI, which allows users to trade across various blockchains, published an incident report on Thursday detailing the exploit.
According to the report, the vulnerability stemmed from a newly deployed smart contract facet that lacked proper validation checks. This oversight allowed attackers to make arbitrary calls to any contract, effectively bypassing security measures.
The company stated, “Upon detecting the security breach, our team immediately activated the incident response plan, successfully disabling the vulnerable facet across all chains. This action contained the threat and prevented any further unauthorized access.”
Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo
— LI.FI (@lifiprotocol) July 18, 2024
The exploit primarily affected wallets that had set infinite token approvals, a practice that allows protocols to interact with user funds without requiring repeated permissions.
Assets drained in the attack included popular stablecoins such as USDC, USDT, and DAI. LI.FI emphasized that wallets using finite approvals, which is the default setting in their API, SDK, and widget, were not impacted by this vulnerability.
In their post-mortem report, LI.FI explained that the root cause of the exploit was “an individual human error in overseeing the deployment process.” The new smart contract facet lacked crucial validation steps that were present in other parts of the protocol. This oversight allowed malicious actors to exploit the vulnerability and access user funds.
The incident has raised concerns about the security practices in the decentralized finance (DeFi) sector. It follows a troubling trend of increasing security breaches in the space, with over $1 billion in digital assets lost due to various security incidents in the first half of 2024 alone.
In response to the breach, LI.FI has taken several immediate actions. They have advised users to revoke approvals for the compromised contract addresses and are collaborating with law enforcement authorities and web3 security firms to trace and potentially recover the stolen funds.
“If you are an affected wallet holder, please complete the following form so that we can get in touch with you directly. Your cooperation is greatly appreciated,” the team wrote in their report.
LI.FI has stated that its primary concern is assisting in the recovery of user funds. The company, with backing from its major investors, is exploring options to fully compensate affected users as soon as possible. This move aims to mitigate the impact on users and maintain trust in the protocol.
To prevent similar incidents in the future, LI.FI has outlined several additional security measures.
These include multiple audits, maintaining an auditing firm on retainer, backend infrastructure and API penetration testing, bug bounties, an incident response framework, and extensive security assessments of integrated third-party systems. These steps align with the National Institute of Standards and Technology (NIST) guidelines.