On July 16, 2024, the LiFi protocol encountered a major security breach, resulting in the loss of approximately $11.6 million in cryptocurrencies. The breach happened right after deploying a new smart contract facet.
The Scope of the Breach
Attackers exploited a vulnerability in the new smart contract facet to target self-custodial wallets with infinite token approvals. This flaw allowed hackers to siphon about $10 million from the LiFi protocol.
The LiFi team released a detailed post-mortem report on July 16. It described how the breach unfolded, affecting 153 wallets on the Ethereum and Arbitrum blockchains. Assets drained included USDC, USDT, and DAI.
Importantly, the breach did not affect wallets with finite approvals, which is the default setting for the LiFi API, SDK, and widget.
Immediate Response and Actions
After detecting the breach, the LiFi team quickly implemented their incident response plan. They disabled the vulnerable smart contract facet across all chains to contain the damage. Users were advised to revoke approvals for the compromised contract addresses:
- 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
- 0x341e94069f53234fE6DabeF707aD424830525715
- 0xDE1E598b81620773454588B85D6b5D4eEC32573e
- 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68
Cause of the Vulnerability
The breach resulted from an oversight during the deployment of the new smart contract facet. This oversight allowed arbitrary calls to any contract without proper validation. The LibSwap library facilitated calls to various decentralized exchanges (DEXs), fee collectors, and other entities, bypassing necessary validation.
Although other facets of the LiFi contract included validation against a whitelist of approved addresses and functions, this crucial step was missed in the new facet due to human error.
Recovery Efforts and Impact
LiFi is now focusing on recovering the stolen assets. The team is collaborating with law enforcement and industry security experts to trace and recover the funds. Major investors are helping LiFi explore options to fully compensate affected users.
Impacted wallet holders should complete the provided form for direct communication with the LiFi team about compensation:
To improve security, LiFi has implemented additional measures such as multiple audits, maintaining an auditing firm on retainer, backend infrastructure testing, bug bounties, and extensive security assessments of third-party systems. These actions align with the National Institute of Standards and Technology (NIST) guidelines.
The breach, caused by human error, has led LiFi to reassess and enhance its deployment review process to prevent future incidents. The team continues to work with security experts and will provide updates on their progress.
Industry-Wide Security Concerns
This breach highlights a troubling trend of increasing security breaches in decentralized finance (DeFi). Recent attacks include Dough Finance’s $1.8 million flash loan attack and Pike Finance’s significant losses from a smart contract vulnerability.
Additionally, on July 18, 2024, the Indian crypto exchange WazirX suffered a $235 million loss due to suspicious transactions linked to the North Korean hackers Lazarus Group. This group is known for major attacks in the crypto industry, including a $305 million hack and a $3 billion attack earlier this year.
In the first half of 2024 alone, security incidents such as phishing attacks and private key compromises led to losses of over $1 billion in digital assets.
The post LiFi Protocol Releases Post-Mortem Report on Recent $11.6 Million Hack appeared first on Cryptonews.