LiFi Protocol Releases Post-Mortem Report on Recent $11.6 Million Hack

Defi Hack LiFi protocol
Last updated:
Journalist
Journalist
Hassan Shittu
About Author

Hassan, a Cryptonews.com journalist with 6+ years of experience in Web3 journalism, brings deep knowledge across Crypto, Web3 Gaming, NFTs, and Play-to-Earn sectors. His work has appeared in...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

On July 16, 2024, the LiFi protocol experienced a severe security breach, resulting in the loss of approximately $11.6 million in cryptocurrencies. The incident occurred shortly after the deployment of a new smart contract facet.A vulnerability within this new facet allowed attackers to exploit user self-custodial wallets that had set infinite token approvals.

LiFi Protocol Report Note The Depth of Security Breach

Following the attack on July 16, the team released a post-mortem report detailing the breach process and method.

According to the report, the breach impacted 153 wallets across the Ethereum and Arbitrum blockchains, draining assets including USDC, USDT, and DAI.

Notably, the vulnerability did not affect finite approvals, which is the default setting within the LiFi API, SDK, and widget.

Upon detecting the breach, the LiFi team activated their incident response plan, swiftly disabling the vulnerable facet across all chains to contain the threat.

The team also advised users to revoke approvals for the compromised contract addresses, specifically:

  • 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
  • 0x341e94069f53234fE6DabeF707aD424830525715
  • 0xDE1E598b81620773454588B85D6b5D4eEC32573e
  • 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68.

The vulnerability arose due to an oversight during the deployment of the new smart contract facet. Callers to the contract were able to make arbitrary calls to any contract without validation. This capability, provided by the LibSwap library, facilitated making calls to multiple decentralized exchanges (DEXs), fee collectors, and other entities before bridging or sending funds to a user. While other facets of the LiFi contract included validation against a whitelist of approved contract addresses and functions, this critical step was missing in the new facet due to a human error.

Recovery Efforts and Broader Impact

LiFi is prioritizing the recovery of the stolen assets following the recent security breach.

The team is collaborating with law enforcement authorities and industry security teams to trace and attempt to recover the funds.

Additionally, with support from major investors, LiFi is exploring options to fully compensate affected users.

Wallet holders impacted by the breach are encouraged to complete the provided form in the announcement for direct communication with the LiFi team.

Furthermore, to enhance security, LiFi has implemented several additional measures, including multiple audits, maintaining an auditing firm on retainer, backend infrastructure and API penetration testing, bug bounties, an incident response framework, and extensive security assessments of integrated third-party systems.

These steps are aligned with the National Institute of Standards and Technology (NIST) guidelines.

The breach, attributed to human error, has prompted LiFi to reassess and improve its deployment review process to prevent future incidents.

According to the report, the LiFi team continues to work with security experts and will provide updates as they progress in enhancing the protocol’s security.

This incident is part of a troubling trend of increasing security breaches in decentralized finance (DeFi). Recent attacks include Dough Finance’s $1.8 million flash loan attack and Pike Finance’s significant losses due to a smart contract vulnerability.

Just today, July 18, a leading Indian crypto exchange, WazirX, was drained of $235 million in a series of suspicious transactions later linked to the well-known North Korean Hackers Lazarus Group.

The Lazarus group has been behind major attacks and breaches in the Crypto industry. A recent $305M hack was traced to the group, and the UN also investigated a $3B attack linked to them earlier this year.

In the first half of 2024 alone, over $1 billion in digital assets were lost due to various security incidents, including phishing attacks and private key compromises.

More Articles

Price Analysis
$TRUMP Pumping Over 20% This Week: Presidential Memecoin Back for Good?
Arslan Butt
Arslan Butt
2025-02-15 15:26:50
Price Analysis
Study Predicts Bitcoin Surge to $1M by Early 2027: Is That Possible?
Arslan Butt
Arslan Butt
2025-02-15 14:45:43
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors