In a recent setback for decentralized exchange (DEX) Lifinity, an arbitrage bot drained approximately $700,000 from Lifinity’s LFNTY-USDC pool on December 8.
The incident unfolded due to a bug associated with an Immediate-or-Cancel (IOC) order, resulting in an unexpected response that led to a loss of $699,090, as disclosed in the company’s Discord channel. The exploit involved the bot attempting an arbitrage trade through the route USDC > xLFNTY > LFNTY > USDC, aiming to capitalize on price discrepancies between different trading pairs.
Unexpected consequences of an immediate-or-cancel order
According to Durden, a key member of Lifinity, the exploit unfolded when the arbitrage bot initiated an Immediate-or-Cancel (IOC) market order on Serum v3, a specific order type requiring immediate execution at the prevailing market price if filled. The anomaly occurred when, instead of signaling an error for a failed trade, the system responded to 0 amount out. Subsequently, the pools processed both the 0 amount in and out, leading the program to update the last transaction price to 0. The unexpected behavior influenced the next starting price, presenting a vulnerability that the arbitrage bot capitalized on by exploiting the extremely low price offered by the pool. Consequently, the exploitation resulted in the drainage of funds from Lifinity’s LFNTY-USDC pool.
The intricacies of the bug reveal the delicate nature of smart contract-based decentralized exchanges, emphasizing the critical need for robust error-handling mechanisms to prevent unintended consequences. Lifinity’s experience underscores the importance of continuously monitoring and refining the code to identify and promptly address such vulnerabilities, safeguarding the integrity of decentralized finance platforms in an increasingly sophisticated landscape.
Lifinity v1 operates as an automated market maker (AMM), utilizing algorithms to generate liquidity in trading pairs. Durden highlighted that Lifinity relies on a constant product market maker (CPMM) model to maintain equilibrium between two token quantities in a liquidity pool. The model is shared by other decentralized exchanges like Uniswap and Bancor. Lifinity v1, while not supporting a standard constant product (CP) curve used in traditional CPMMs, replicates its function. However, the bug’s unexpected return of a 0 price enabled the arbitrage bot to exploit the discrepancy, resulting in the drainage of funds.
Response from Lifinity and efforts to recover funds
Following the incident, Lifinity’s team is actively working on reintroducing liquidity to the pool. The team is reviewing the protocol code and implementing measures to recover the lost funds. Notably, Lifinity has updated its system to reject trades resulting in 0 amounts, aiming to prevent similar exploits in the future. Despite the severity of the drain, community members on platforms like X (formerly Twitter) emphasized that the incident was not a result of a deliberate attack.
As Lifinity addresses the aftermath of the exploit, the incident underscores the challenges and vulnerabilities associated with automated market makers and decentralized exchanges. The vigilance required to identify and rectify such bugs becomes crucial as these platforms continue to play a pivotal role in the evolving landscape of decentralized finance. As Lifinity works towards recovery, the broader community observes how the incident may influence the ongoing development and security practices within decentralized exchanges.
Lifinity’s recent encounter with an arbitrage bot exploiting a bug in its protocol highlights the intricate challenges and potential pitfalls faced by decentralized exchanges. The incident underscores the critical importance of stringent error-handling mechanisms and continuous code scrutiny in maintaining the security and reliability of these platforms. As Lifinity diligently works to recover the drained funds and fortify its system against future exploits, the broader decentralized finance community remains vigilant, drawing valuable lessons from the episode to fortify the resilience of automated market makers and decentralized exchanges in an ever-evolving financial landscape.