The Li Finance swap aggregator has undergone a smart contract exploit that resulted in the loss of approximately $600,000 from the wallets of 29 users.
The exploit took place on March 20 at 2:51 am UTC. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT) and DAI (DAI).
TLDR:
• ~$600K stolen from 29 wallets
• User does not have to do anything
• Bug fixed and already implementedhttps://t.co/fqOxJxDrZs— LI.FI – Any-2-Any Swaps(,) (@lifiprotocol) March 21, 2022
When the team learned 12 hours later at 14:15 UTC on the exploit, it shut down all swap functions on the platform to avoid further losses.
At 2:50 a.m. UTC on March 21, the team had a post mortem detailing the exploit’s events. The team said the attacker traded the stolen tokens for a total of about 205 Ether (ETH) worth about $600,000. At the time of writing, the stolen ETH had yet to be moved from the attacker wallet† LiFi also assured users that the bug has been identified and patched.
Today’s LiFi hack happened because the internal swap() function would call any address using the message the attacker passed. This allowed the attacker to make the contractFrom() transfer money from anyone who approved the contract. pic.twitter.com/NA3xW7ReUd
— Daniel von Fange (@danielvf) March 20, 2022
Of the 29 wallets affected in this attack, 25 have been reimbursed from treasury funds for their losses. Those 25 wallets accounted for just $80,000, or 13% of the total lost value. The owners of the remaining four portfolios who lost a total of $517,000 have been contacted and offered a deal to compensate them by honoring their losses as angel investors in the protocol.
They would receive LiFi tokens on the same terms as other angel investors in an amount equal to their losses from each wallet. This would also help limit damage to the platform’s treasury.
The hacker was also contacted and offered a bug bounty to return the money.
The Li Finance team reached out to offer a hacker a bug bounty.
The attack seems to come at an unfortunate time. Philipp Zentner, CEO of Li Finance, told Coin-Crypto on March 21 that “we are literally a week away from our audit”, adding that “multiple companies are monitoring us”.
But even a thorough code check may not have picked up on this particular bug, according to a “Transmissions11” researcher at crypto investment firm Paradigm. He explained in a March 21 tweet that the flaw in Li Finance’s code is easy to miss and is “subtle if you don’t have the right mindset”.
Related: ‘Unfortunate:’ Agave and Hundred Finance DeFi Protocols Abused for $11 Million
This latest hack in the decentralized finance industry (DeFi) shows how giving infinite approvals to smart contracts exposes a user’s money to greater risk. Infinite approvals allow users to freely exchange coins on a decentralized exchange (DEX), without having to approve any more transactions.