- The Li.Fi protocol has released a post-mortem report detailing how it lost $11 million
- According to the protocol, malicious actors exploited a weakness in a new smart contract facet
- Li.Fi also disclosed it’s working on a plan to reimburse all affected users
The Li.Fi protocol has released a post-mortem report showing that malicious actors exploited a weakness in a just-deployed smart contract code to siphon over $11 million from the platform. The weakness made it possible for hackers to steal funds from users who “had set infinite token approval for the Li.Fi contract.” Li.Fi has also announced that it’s working with major investors to devise a reimbursement scheme to make affected users whole again, which may help salvage its reputation in the web3 space.
Accessing DEXs Without Validation
According to the protocol, hackers stole roughly $11.6 million from 153 wallets, most of the funds being in stablecoins like DAI, USDT and USDC. Li.FI clarified that the security incident didn’t affect users who had given the contract limited approval.
Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo
— LI.FI (@lifiprotocol) July 18, 2024
The protocol noted that the vulnerability in the code allowed the attacker to interact with entities like DEXs and fee collectors on different blockchains without validation. The provision went against the platform’s rules that dictate that all smart contract interactions be validated.
Li.Fi revealed that it’s working with law enforcement agencies and other “relevant third parties” to recover the stolen funds. The platform has, however, not disclosed whether it has contacted the attacker or whether there’s any hope of recovering the funds.
A Blockchain Code Auditor on a Monthly Retainer
The protocol has committed to conducting independent audits and putting an auditing firm on a monthly retainer to review code changes constantly. Other measures include offering a bug bounty and formulating an incident response framework.
Although Li.Fi said that it’s working to recover the funds, it’s unclear whether the funds for reimbursing users will come from the recovery or the protocol’s reserves.