On July 16, 2024, the cross-chain DeFi protocol Li.Fi faced a major security breach. Hackers exploited a vulnerability, stealing around $11 million worth of cryptocurrencies. The stolen assets included Ethereum (ETH) and various stablecoins such as USDC, USDT, and DAI.
Details of the Hack
The initial report by blockchain security firm CertiK estimated the loss at nearly $9 million. However, Li.Fi later confirmed the total stolen amount was closer to $11 million. Li.Fi enables users to trade across different blockchains, venues, and bridges.
Immediate Response
Li.Fi quickly responded to the incident. They announced on social media platform X (formerly Twitter) that they were investigating a potential exploit. They also urged users to avoid interacting with any Li.Fi-powered applications until further notice.
Cause of the Exploit
The exploit targeted users who had adjusted their account settings to allow “infinite approvals.” This setting gives a smart contract unlimited access to a user’s funds, which becomes risky if the contract is compromised.
Decurity, a crypto security firm, suggested that the exploit’s root cause was likely a vulnerability in the Li.Fi bridge. A specific function in a smart contract, deployed just five days before the attack, allowed for “arbitrary call with user-controlled data.”
Containment and Advice
Since then, Li.Fi has stopped the exploit and turned off the impacted smart contract facet. They assured users that there is no further risk and emphasized that only a small number of users with infinite approvals were affected.
Li.Fi gave a list of particular addresses to revoke along with instructions for using their “secluded revoke website” right away. They recommended users visit scan.li.fi to check if their accounts were compromised.
History of Security Issues
This isn’t the first time Li.Fi has faced security issues. A flaw in the protocol’s switching function cost $600,000 in bitcoin losses in 2022. These recurring incidents highlight the ongoing security challenges faced by DeFi protocols.
Growing Crypto Thefts
The Li.Fi hack adds to a growing list of crypto thefts in 2024. In comparison to the same period in 2023, hackers stole more than twice as much cryptocurrency in the first half of 2024, according to a report by blockchain intelligence firm TRM Labs.
Year | Total Stolen ($ billions) |
2023 | 1.7 |
First half of 2024 | 1.38 |
Engagement with Authorities
Li.Fi’s team stated they are working with law enforcement and relevant third parties, including industry security teams, to trace the stolen funds. They promised to issue a detailed post-mortem analysis of the incident as soon as possible.
This hack shows the need for robust security measures in DeFi protocols. Users must stay vigilant and follow safety advice to protect their assets.
Disclaimer
FAQ
DeFI stands for decentralized finance, offering open and accessible financial systems built on blockchain technology.
Yield farming involves earning interest by lending or staking cryptocurrencies.
Layer 1 blockchains are the primary networks (e.g., Ethereum), while layer 2 blockchains scale and improve performance on top of them.