The bridging platform and DEX aggregator, LI Finance or LI.FI suffered a cyberattack that exploited a bug present in its smart contract. The platform lost around $600k worth of tokens from users’ accounts.
In Brief:
- The hacker gained control of the swap feature to call token contracts directly.
- Users who had given infinite approval to the smart contract became vulnerable.
- The protocol revealed a bug bounty for the attacker to get back the stolen fund.
In the bug exploitations, the hacker has gained control of swapping features, which allow swap before bridging. This crucial access enabled the hacker to call token contracts directly.
Users who gave ‘infinite approval’ to LI.FI Smart contracts have become vulnerable as the perpetrator indirectly got access to their wallets for the swap.
The hacker has stolen numerous tokens including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI, which he swapped after, for over 205 ETH.
But before the hacker could execute any big cyber theft, the exploitation was highlighted by developers and suspended every swap method to prevent further stealing of tokens.
The team claimed that they have fixed the bug and ensured that “something like this does not happen again”.
The protocol took the responsibility for this attack as they had failed to complete auditing of their platform earlier and neglected their duty “to offer the highest security possible”.
The protocol also tried to contact the hacker, but got ‘no response’. The protocol even announced a bug bounty for the attacker by keeping his identity secret.
LI.Fi has also given instant reimbursement to 25 affected wallets out of 29 for a total of $80k. For the remaining 4 wallets, the protocol offered an angel investment into LI.FI through future LI.FI tokens under the same terms for its investors.
The four affected wallets not yet reimbursed have been contacted through Twitter and a Mainnet transaction. However, the final call will be from users to decide whether they want to invest in the protocol or claim reimbursement.
As DeFi protocols are still in their infancy and contain a lack of security measures, the attacker takes advantage of loopholes. At the beginning of this year, the Binance Smart Chain-based DeFi protocol, Qubit Finance also suffered exploitation by the hacker that led to an $80 million fund loss.
