As a seasoned crypto investor with several years of experience under my belt, I can’t help but feel a pang of disappointment and frustration upon hearing about the latest exploit on the LI.FI protocol. With over $8 million in user funds stolen through a similar vulnerability that was previously identified and supposedly addressed back in March 2022, it’s disheartening to see history repeat itself.
Over $8 million worth of assets have been taken illicitly from the decentralized finance (DeFi) platform LI.FI protocol.
The LI.FI cross-chain transaction aggregator had some questionable transactions identified by Cyvers Alerts.
LI.FI Issues Warning After $8 Million Exploit
“On July 16, LI.FI acknowledged a suspected vulnerability in their system via X and urged users not to engage with any applications powered by LI.FI for the time being. It was clarified that this issue only affects those who manually set infinite approvals, meaning users who did not take this action are not at risk.”
Please do not interact with any powered applications for now!
We’re investigating a potential exploit. If you did not set infinite approval, you are not at risk.
Only users that have manually set infinite approvals seem to be affected.
Revoke all…
— LI.FI (@lifiprotocol) July 16, 2024
Based on Cybers Alerts’ report, over $8 million in user funds have been pilfered, with a significant portion being stablecoins. As per on-chain information, the thief’s wallet contains approximately 1,715 Ether (ETH), worth around $5.8 million, along with USDC, USDT, and DAI stablecoins.
ALERT@lifiprotocol, Our system has raised suspicious transactions involving your
We recommend users to revoke their approvals for: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
More than $8M have been drained so far from users and mostly stablecoins!…
— Cyvers Alerts (@CyversAlerts) July 16, 2024
As a responsible crypto investor, I would heed Cyvers Alerts’ warning and promptly revoke any authorizations related to the ongoing attack. The malicious actor is currently swapping USDC and USDT for ETH, so taking this action could potentially limit my exposure to the situation.
Decurity, a firm specializing in crypto security, shed light on the recent exploit incident. They revealed that it centered around the LI.FI bridge and cited the cause as a potential vulnerability in the “depositToGasZipERC20” function of the GasZipFacet, which was only five days old.
In simpler terms, the potential dangers associated with routers and cross-chain swaps primarily revolve around token approvals. Tokens that are not wrapped, such as native Ethereum (ETH), do not offer approval options, making them less vulnerable to hacking attacks. The practice of infinite approvals, which previously gave smart contracts complete control over removing any quantity of tokens, is now largely abandoned by users and wallets. Therefore, it’s crucial for you to be aware of the specific tokens you are approving to interact with particular contracts.
Based on my extensive experience in the crypto space and working with various wallets and transaction monitoring tools, I can tell you that this dashboard is designed to identify transactions involving a specific entity or protocol called Lifi for all users. Not every one of these transactions poses a risk, but it’s important to recognize that integrations and layers of technology, such as how Metamask bridges utilize Lifi on the Binance Smart Chain (BSC), can add complexity to how users manage their assets and potentially put them at risk.
Another recommended security measure suggested by Carlos Mercado, Data Scientist at Flipside Crypto, is to periodically create new cryptocurrency addresses with no previous approvals. By transferring your tokens to a newly generated address, you’re implementing an additional layer of security in your digital wallet.
Recent Exploit Mirrors March 2022 Attack
PeckShield’s deeper examination uncovered that the identified vulnerability bears resemblance to an earlier attack on LI.FI’s protocol, which took place on March 20, 2022. In this prior incident, a malicious actor successfully exploited LI.FI’s smart contract, focusing on its swapping functionality, before transferring the stolen assets to another blockchain through bridging.
An attacker found a way to trick the system into executing token contracts directly through their own contract, exposing users with unlimited approval to potential harm. This deceit led to the theft of around 205 Ether from 29 wallets, impacting various tokens including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI.
As a seasoned crypto investor, I can’t help but reflect on the similarities between the current situation and past incidents. According to PeckShield’s recent alert, the bug they identified is strikingly familiar. So, have we truly learned from our past experiences?
After the 2022 incident, LI.FI temporarily halted all swap functions in their smart contract to work on improvements and prevent future weaknesses. Yet, the emergence of another similar exploit casts doubt on the platform’s security protocols and questions if sufficient measures were implemented to address vulnerabilities uncovered during the previous hack.
LI.FI functions as a unified platform enabling users to execute trades on multiple blockchain networks, marketplaces, and interoperability solutions.
Read More
- W PREDICTION. W cryptocurrency
- PENDLE PREDICTION. PENDLE cryptocurrency
- AEVO PREDICTION. AEVO cryptocurrency
- REF PREDICTION. REF cryptocurrency
- TET PREDICTION. TET cryptocurrency
- INR RUB PREDICTION
- CRV PREDICTION. CRV cryptocurrency
- RFD PREDICTION. RFD cryptocurrency
- ZETA PREDICTION. ZETA cryptocurrency
- ERG PREDICTION. ERG cryptocurrency
2024-07-16 18:53