Li Finance Protocol Loses $600,000 From Latest DeFi Exploit

Li Finance’s swap aggregator has seen a smart contract exploit that resulted in the loss of around $600,000 from the wallets of 29 users.

The exploit took place on March 20 at 2:51 UTC. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “unlimited consent” to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT) and DAI (DAI).

TLDR:

• ~$600,000 stolen from 29 wallets
• The user does not have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs

— LI.FI – Any-2-Any Swaps (,) (@lifiprotocol) March 21, 2022

If the team learned via the exploit 12 hours later at 14:15 UTC, it shut down all swap functionality on the platform to prevent further leaks.

By 2:50 UTC on March 21, the team had issued a post mortem Details of the events of the exploit. The team said the attacker exchanged the stolen tokens for a total of about 205 Ether (ETH) valued at around $600,000. At the time of writing, the stolen ETH had yet to be removed from the attacker’s wallet. LiFi also assured users that the bug has been identified and patched.

Today’s LiFi hack happened because its internal swap() function called each address with the message the attacker passed. This allowed the attacker to steal the transferFrom() contract from the funds of anyone who approved the contract. pic.twitter.com/NA3xW7ReUd

— Daniel Von Fange (@danielvf) March 20, 2022

Of the 29 wallets hit in this attack, 25 were reimbursed from Treasury funds for their losses. Those 25 wallets accounted for just $80,000, or 13% of the total value lost. The owners of the remaining four wallets, who collectively lost $517,000, were contacted and offered a deal to compensate them by acknowledging their losses as angel investors in the log.

They would receive LiFi tokens on the same terms as other angel investors in an amount equal to their losses from each wallet. This would also help mitigate the damage done to the platform’s checkout.

So was the hacker contacted and offered a bug bounty to return the money.

The attack seems to have come at a bad time. Philipp Zentner, CEO of Li Finance, told Cointelegraph on March 21 that “we’re literally a week away from our review,” adding that “we have multiple companies reviewing us.”

However, according to a researcher “Transmissions11” from crypto investment firm Paradigm, even a thorough examination of the code might not have uncovered this particular flaw. He explained in an article dated 21 tweet that the bug in Li Finance’s code is easy to miss and “subtle if you’re not in the right mindset.”

Related: “Unlucky”: Agave and Hundred Finance DeFi Protocols Exploited for $11 Million

This latest hack in decentralized finance (DeFi) sector shows how unlimited approval of smart contracts puts a user’s funds at greater risk. Infinite permits allow users to trade coins on a decentralized exchange (DEX) an unlimited number of times without having to approve further transactions.