DeFi protocol LI.FI succumbed to an exploit earlier today. The amount drained was initially chalked out to be $8 million, but more recent estimates show that around $11 million was siphoned.
On-chain data brought to light that the hack followed a series of skeptical outflow transactions. DeFi security firm Decurity pointed out,
“The root cause is a possibility of an arbitrary call with user controlled data via `depositToGasZipERC20()` in GasZipFacet which was deployed 5 days ago!”
Specifically, the hacker “crafted special calldata with transferFrom() calls and passed it as swapData to depositToGasZipERC20 to steal approved tokens from the bridge,” Decurity added.
The LI.FI protocol fosters inter-blockchain and inter-bridge trading. The team revealed that the smart contract exploit “has been contained” and the affected smart contract facet has been disabled.
Via a post on X [formerly Twitter], they clarified,
“There is currently no further risk to users. The only wallets affected were set to infinite approvals, and represented only a very small number of users.”
Blockchain security and data analytics company PeckShield unveiled that it noticed an earlier hack following a similar blueprint on the same protocol on March 20, 2022. At that time, around $600k was stolen from 29 wallets.
Particularly, the swapping feature was exploited and perpetrators ended up calling token contracts directly in the context of the protocol’s contract. Retrospectively, users who had given infinite approval to LI.FI’s contract was victimized.
Drawing parallels between the earlier hack and the current one, the PeckShield team questioned,
“The bug is basically the same. Are we learning anything from the past lesson(s)?”
LI.FI is currently in talks with appropriate law enforcement authorities and third parties, including security teams from the industry, to trace and retrieve the hacked funds. A detailed post-mortem report will also be released soon.