NEW: FREE Web3 Resume Cheat Sheet DOWNLOAD NOW

LI.FI protocol loses $10m in second hack due to same old bug

In this post:

  • LI.FI has been exploited for about $10 million in stablecoins.
  • The team said only users who set “infinite approvals” were affected.
  • Peckshield alleges that LI.FI was exploited in 2022 via the same bug.

Cross-chain trading protocol LI.FI has been hit by “a call injection attack,” security platform, Beosin Alert, reported on Tuesday. About $10 million in crypto assets, including 6.3M USDT, 3.2M USDC, and 169k DAI, have been stolen from the protocol. 

Also read: Kraken reveals bug allowed rogue ‘security researchers’ to exploit $3M

LI.FI co-founder Philipp Zentner confirmed the incident on X (formerly Twitter), noting that only users who have manually set “infinite approvals” were affected. “Please do not interact with any LI.FI powered applications for now. We’re investigating a potential exploit,” Zentner wrote. 

LI.FI allegedly hacked via the same old bug

The vulnerability was traced to the “depositToGasZipERC20()” function of LI.FI contract. According to Beosin’s analysis, the function can swap specified tokens for platform tokens and deposit them into the GasZip contract, but it fails to restrict the data for the call invocation, which allows the attacker to withdraw assets from users who have approvals to the contract.

Elsewhere, another security platform Peckshield reported that LI.FI was also exploited two years ago due to the same vulnerability. “While analyzing today’s LI.FI protocol hack, we noticed an earlier hack on the same protocol on March 20, 2022,” Peckshield posted on X. “The bug is basically the same.”

During the 2022 LI.FI protocol hack, about $600,000 in assets were stolen and drained from the protocol, with 29 wallets affected. The team said in a post-mortem report that the bug was fixed, and all the affected users were reimbursed. 

See also  Crypto industry will overpower global regulators, thanks to Trump - South Africa cenbank Chief

Also read: 2024 sees nearly $1.4 billion in crypto thefts so far

So far, there are no discussions about reimbursing users affected by the latest hack, at least at the time of writing. However, LI.FI posted they are investigating the exploit and advised users not to interact with any LI.FI powered application in the meantime. 

The incident today comes a little over a year after LI.FI raised $17.5 million in a Series A funding round to enable DeFi users to trade across different blockchains, venues, and bridges. It claims to have facilitated over $10 billion in total transfer volume.

Cryptopolitan Academy: FREE Web3 Resume Cheat Sheet - a href="https://www.cryptopolitan.com/ultimate-web3-resume-cheatsheet?utm_source=cryptopolitan&utm_medium=banner&utm_campaign=web3cs-1" target="_blank">Download Now

Share link:

Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.

Most read

Loading Most Read articles...

Stay on top of crypto news, get daily updates in your inbox

Editor's choice

Loading Editor's Choice articles...
Subscribe to CryptoPolitan