TLDR
- LI.FI protocol suffered a security breach on July 16, 2024, resulting in a loss of approximately $11.6 million.
- The hack affected 153 wallets across Ethereum and Arbitrum blockchains.
- The vulnerability was caused by human error during the deployment of a new smart contract facet.
- LI.FI is working with law enforcement and security firms to recover the stolen funds.
- The incident is part of a broader trend of increasing security breaches in decentralized finance (DeFi).
LI.FI, a popular cross-chain blockchain protocol, fell victim to a hack that resulted in the loss of approximately $11.6 million in various cryptocurrencies.
The breach affected 153 wallets connected to the protocol, primarily draining USDC, USDT, and DAI stablecoins, along with other digital assets.
The hack occurred shortly after LI.FI deployed a new smart contract facet. According to the incident report released by the LI.FI team, the root cause of the vulnerability was “an individual human error in overseeing the deployment process.”
This error allowed attackers to exploit user self-custodial wallets that had set infinite token approvals.
Upon detecting the security breach, the LI.FI team quickly activated their incident response plan. They successfully disabled the vulnerable facet across all chains, which helped contain the threat and prevented any further unauthorized access.
The team has advised users to revoke approvals for the compromised contract addresses to enhance their security.
Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo
— LI.FI (@lifiprotocol) July 18, 2024
The vulnerability arose from an oversight during the deployment of the new smart contract facet. Callers to the contract were able to make arbitrary calls to any contract without validation.
While other facets of the LI.FI contract included validation against a whitelist of approved contract addresses and functions, this critical step was missing in the new facet due to the human error.
LI.FI is now prioritizing the recovery of the stolen assets. The team is collaborating with law enforcement authorities and industry security teams to trace and attempt to recover the funds.
Additionally, with support from major investors, LI.FI is exploring options to fully compensate affected users.
To prevent future incidents, LI.FI has implemented several additional security measures.
These include multiple audits, maintaining an auditing firm on retainer, backend infrastructure and API penetration testing, bug bounties, an incident response framework, and extensive security assessments of integrated third-party systems.
These steps align with the National Institute of Standards and Technology (NIST) guidelines.
This incident is part of a troubling trend of increasing security breaches in decentralized finance (DeFi). In the first half of 2024 alone, over $1 billion in digital assets were lost due to various security incidents, including phishing attacks and private key compromises.
Recent attacks in the crypto space include Dough Finance’s $1.8 million flash loan attack and Pike Finance’s losses due to a smart contract vulnerability.
The LI.FI hack serves as a reminder of the ongoing security challenges faced by the cryptocurrency industry. As protocols and platforms continue to evolve and expand, the need for rigorous security measures and careful deployment processes becomes increasingly critical.
The LI.FI team has committed to providing updates as they progress in enhancing the protocol’s security. They have also set up a form for affected wallet holders to get in touch directly, emphasizing their commitment to assisting users impacted by the breach.