The hacker managed to exploit a smart contract on the LiFi protocol stealing $600,000 worth of crypto from 29 user wallets.
Exploits in the DeFi space have been getting more rampant as the ecosystem expands. Users of DeFi protocol and swap aggregator Li Finance lost $600,000 after a hacker exploited a flaw in the project’s smart contract. Thus, the hacker managed to steal funds from 29 different user wallets.
The exploit took place on Sunday, March 20. As per reports, the hacker managed to extract funds from the wallet with “infinite approval” to the Li Finance protocol. The hacker managed to steal funds across 10 different crypto tokens including USD Coin (USDC), Tether (USDT), Polygon (MATIC), Gnosis (GNO), Rocket Pool (RPL), AAVE (AAVE), Jarvis Reward Token (JRT), Metaverse Index (MVI), Audius (AUDIO), and DAI.
However, the team came to know about the exploit 12 hours later. But it quickly decided to shut down all the swapping functions on the platform and prevent additional losses. The official announcement notes:
“On March 20th, 2022, an attacker exploited LI.FI’s smart contract, specifically our swapping feature which allows us to perform swaps before bridging. Instead of actually swapping, they were able to call token contracts directly in the context of our contract. As a result of the exploit, anyone who gave infinite approval to our contract was vulnerable. As soon as the team had been notified of the exploit, we disabled all of the swap methods in our smart contract and started working on a fix to ensure they are safe to use and that something like this does not happen again”.
Details of the Li Finance DeFi Protocol Hack
After further investigation, a few more details relating to the hack emerged. The attacker has swapped the stolen tokens for a total of 205 ETH valued at $600,000. However, as of writing this story, the stolen ETH has been moved from the attacker’s wallet.
LiFi has assured users that they have identified the bug and patched it. Out of the 29 wallets that suffered the attack, 25 have received reimbursements from treasury funds against the losses. However, these 25 wallets only accounted for $80,000 or 13% of the total value lost. The owners of the remaining four wallets have lost a combined of $517,000.
LIFi has contacted these four wallet holders and offered to compensate by honoring their losses as angel investors in the protocol. Just as other angel investors, they would receive LiFi tokens under the same terms. This will also help to avoid damage to the platform’s treasury.
Well, LiFi has also offered a bug bounty to the hacker in order to return the funds. The concerning thing is that the hack happened just a week ahead of the LiFi protocol audit.