The cross-chain blockchain protocol LI.FI has been exploited, the team revealed on social media platform X. The team is investigating the potential hack, which appears to only affect users who have manually enabled certain features.
“Do not interact with LI.FI-based applications at this time,” the LI.FI team wrote. “We are investigating a potential exploit. Unless you have set up infinite permissions, you are not at risk.”
“(W)e urge all users to immediately revoke use of our selected website,” LI.FI wrote, adding, “Four additional security breaches have been confirmed.”
Security firm Decurity said the “root cause” appeared to be an “arbitrary call with user-controlled data” to a gas contract deployed five days ago to pay blockchain fees. Ethereum Ethereum
+1.86%
“The hacker created a special calldata with the transferFrom() call and passed it to depositToGasZipERC20 as swapData to steal the authorized tokens from the bridge,” Decurity researchers wrote on X.
This attack appears to be a version of a “call injection” exploit that allows an attacker to execute legitimate but unexpected transactions using parameters from the original code. This type of Vulnerability Hundreds of millions of dollars worth of cryptocurrency were reportedly stolen.
The depleted wallet reportedly controls over $4 million in ETH and nearly $200,000 in DAI stablecoin. DeFi World Data. However, that figure is likely an underestimate, as the USDT and USDC stablecoins also appear to be leaving the platform. Security firm Certik calculation The total loss was approximately $9 million.
Another security company, Peckshield, claims: A similar attack was made LI.FI in 2022.
Disclaimer: The Block is an independent media outlet providing news, research and data. As of November 2023, Foresight Ventures is the largest investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information on the cryptocurrency industry. Below are the current financial disclosures.
© 2023 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be legal, tax, investment, financial or other advice.
About the Author
Daniel Kuhn is a senior journalist and editor at The Block, covering the cryptocurrency industry with a particular focus on technology. He previously served as an associate editor at CoinDesk, where he covered the opinions/articles section. He was first published in the trade publication Financial Planning. Before pursuing journalism, he studied philosophy as an undergraduate, English literature as a graduate student, and business and economic reporting at NYU’s professional program. You can connect with him on Twitter and Telegram @danielgkuhn, or find him on Urbit as ~dorrys-lonreb.