LI.FI Reveals Details of $11.6 Million Hack

The team behind the cross-chain protocol LI.FI has disclosed details of a hack that resulted in users losing $11.6 million in stablecoins USDC, USDT, and DAI.

Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo

— LI.FI (@lifiprotocol) July 18, 2024

According to the statement, the exploit occurred shortly after the deployment of a new aspect of the smart contract.

“The vulnerability arose because contract callers could make arbitrary calls without verification. This capability was provided by the LibSwap library, which facilitates interaction with multiple DEXs, payment aggregators, and other entities before connecting or sending funds,” the statement said.

Due to an “individual human error,” the contract lacked verification of approved addresses and whitelisted functions, the developers explained.

The attack occurred on the Ethereum and Arbitrum networks, affecting 153 wallets. Only users with permanent approval enabled, which is not the default setting in the API, SDK, and LI.FI widget, were impacted, the team emphasized.

“Our main priority is the recovery of users’ assets. We continue to engage with law enforcement and relevant third parties, including industry security experts, to trace and recover the stolen funds,” the developers stated.

The project is evaluating the possibility of providing full compensation to the affected users “as soon as possible.”

Earlier in July, the Indian cryptocurrency exchange WazirX lost $235 million in digital assets due to a hack. Experts at Elliptic concluded that North Korean hackers were behind the attack.