Best crypto insights delivered straight to your inbox.
- LI.FI has been exploited for about $10 million in stablecoins.
- The team said only users who set “infinite approvals” were affected.
- Peckshield alleges that LI.FI was exploited in 2022 via the same bug.
Cross-chain trading protocol LI.FI has been hit by “a call injection attack,” security platform, Beosin Alert, reported on Tuesday. About $10 million in crypto assets, including 6.3M USDT, 3.2M USDC, and 169k DAI, have been stolen from the protocol.
Also read: Kraken reveals bug allowed rogue ‘security researchers’ to exploit $3M
LI.FI co-founder Philipp Zentner confirmed the incident on X (formerly Twitter), noting that only users who have manually set “infinite approvals” were affected. “Please do not interact with any LI.FI powered applications for now. We’re investigating a potential exploit,” Zentner wrote.
LI.FI allegedly hacked via the same old bug
The vulnerability was traced to the “depositToGasZipERC20()” function of LI.FI contract. According to Beosin’s analysis, the function can swap specified tokens for platform tokens and deposit them into the GasZip contract, but it fails to restrict the data for the call invocation, which allows the attacker to withdraw assets from users who have approvals to the contract.
Elsewhere, another security platform Peckshield reported that LI.FI was also exploited two years ago due to the same vulnerability. “While analyzing today’s LI.FI protocol hack, we noticed an earlier hack on the same protocol on March 20, 2022,” Peckshield posted on X. “The bug is basically the same.”
While analyzing today’s @lifiprotocol hack, we notice an earlier hack on the same protocol on March 20, 2022.
The bug is basically the same. https://t.co/YcuEe4efOT
Are we learning anything from the past lesson(s)? https://t.co/nV4IuX7T7j pic.twitter.com/aVB6FQ3MnT
— PeckShield Inc. (@peckshield) July 16, 2024
During the 2022 LI.FI protocol hack, about $600,000 in assets were stolen and drained from the protocol, with 29 wallets affected. The team said in a post-mortem report that the bug was fixed, and all the affected users were reimbursed.
Also read: 2024 sees nearly $1.4 billion in crypto thefts so far
So far, there are no discussions about reimbursing users affected by the latest hack, at least at the time of writing. However, LI.FI posted they are investigating the exploit and advised users not to interact with any LI.FI powered application in the meantime.
The incident today comes a little over a year after LI.FI raised $17.5 million in a Series A funding round to enable DeFi users to trade across different blockchains, venues, and bridges. It claims to have facilitated over $10 billion in total transfer volume.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Ibiam Wayas
Ibiam Wayas has covered the crypto news beat since 2019. He studied Computer Science at National Open University of Nigeria. His work has appeared on various crypto news platforms, including Coinfomania, Crypto News Australia, and AltcoinBuzz. Drawing on his background in Computer Science, he now focuses on crypto, robotics, and longevity news.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)