- Decentralized exchange Lifinity has lost close to $700,000 to an arbitrage bot on the platform’s USDC pool
- The loss emanated from a failed trade seeking to profit from the price gap between the exchange’s token and USDC
- The platform has clarified that the loss wasn’t due to a hack
Decentralized exchange Lifinity has refuted claims it was hacked, disclosing that the loss of nearly $700,000 was caused by an arbitrage bot. According to the platform, the bot’s user wanted to profit from the price gap between Lifinity’s token LFNTY and the USDC stablecoin. Although it resulted in a bad trade, the exchange’s systems updated “the last transaction price to 0” instead of returning an error, providing another attack vector that malicious actors can steal funds from web3 platforms.
USDC Pool Offered an Extremely Low Price
Explaining the occurrence, a Lifinity team member only identified as Durden said that the bot placed an order that required it to either be filled immediately or be canceled.
Here’s how the events transpired in the @Lifinity_io Discord when the 700k arb happened
I noticed something wrong with LFNTY’s price and alerted zoro, one of the devs on the platform.
At first glance, it appeared that the protocol had gotten hacked pic.twitter.com/ebXfK9pDW3
— Shardo (@DrashoWho) December 8, 2023
The trade failed to meet the requirements needed to be filled but the system failed to return an error triggering other actions that caused the USDC pool to offer “an extremely low price,” causing the loss.
Durden added that the DEX uses automated algorithms like the ones used by Uniswap to manage liquidity in a pool. The exchange has disclosed that it’s committed to returning liquidity to the drained pool.
One of Many
Lifinity’s loss comes four months after malicious actors exploited a weakness in some versions of Vyper programming language to steal over $70 million from multiple DeFi platforms. It also comes two weeks after the KyberSwap DEX lost nearly $50 million to a hacker who later demanded control of the entire Kyber company.
Although Lifinity didn’t reveal whether they’ll recover the refunds, it’s unclear whether the bot’s actions were accidental or intentional.