DeFi Protocol Li.Fi Hacked for Nearly $9 Million in Ethereum, Stablecoins - Decrypt

07/16/2024 16:35
DeFi Protocol Li.Fi Hacked for Nearly $9 Million in Ethereum, Stablecoins - Decrypt

On-chain activity suggests that nearly $9 million in Ethereum and stablecoins were swiped from cross-chain DeFi protocol Li.Fi.

We do the research, you get the alpha!

Get exclusive reports and access to key insights on airdrops, NFTs, and more! Subscribe now to Alpha Reports and up your game!

Go to Alpha Reports

Cross-chain DeFi protocol Li.Fi is suspected to have lost up to nearly $9 million in cryptocurrencies in an exploit, blockchain security firm CertiK said Tuesday. 

A wallet linked to the suspected hack on Tuesday held $8.7 million in digital assets, including nearly $6 million in Ethereum (ETH) along with various amounts of several stablecoins, according to CertiK. The exploit, which is still being investigated, appears to have targeted some Li.Fi users who manually adjusted the settings on their accounts, the protocol’s team said Tuesday in an X post. 

"We're investigating a potential exploit,” Li.Fi said Tuesday in the post. “If you did not set infinite approval, you are not at risk."

It remains unclear whether the exploit continues to pose a risk to Li.Fi’s users. Li.Fi did not immediately respond to Decrypt’s request for comment on the matter. 

A smart contract exploit earlier today has been contained and the affected smart contract facet disabled.

There is currently no further risk to users.

The only wallets affected were set to infinite approvals, and represented only a very small number of users.

We are engaging…

— LI.FI (@lifiprotocol) July 16, 2024

The crypto wallet that is suspected of holding the stolen funds contains roughly $5.8 million in ether, in addition to USDC, USDT and DAI stablecoins, blockchain data shows

Li.Fi urged users on Tuesday to “immediately use our secluded revoke website,” noting that it had identified four additional security breaches in a Twitter (aka X) post.

Users should revoke permissions via revoke.cash, according to Li.Fi. Traders can visit scan.li.fi to check if their accounts have been compromised.

A hacker likely exploited a vulnerability in the Li.Fi bridge, crypto security firm Decurity said Tuesday in a post on Twitter. 

"The root cause is a possibility of an arbitrary call with user controlled data via depositToGasZipERC20() in GasZipFacet which was deployed 5 days ago," Decurity wrote.

Li.Fi has suffered sizable losses due to security issues in recent years. In 2022, a bug in the protocol’s swapping feature resulted in losses of $600,000 in crypto, according to a post-mortem analysis of the attack by Li.Fi on Medium.

Edited by Andrew Hayward

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Read more --->