LiFi Protocol Under Attack with Over $10 Million Drained

The Li.Fi protocol, an API that facilitates Ethereum Virtual Machine (EVM) and Solana (SOL) swaps and bridging, has fallen victim to a significant security breach, resulting in the loss of over $10 million in cryptocurrencies.

Hackers exploited vulnerabilities caused by approvals accepted from the malicious contract address to drain assets stored in the contracts and funds in users’ connected wallets.

Hackers Exploit LiFi Protocol: Approximately $10 Million Drained

According to reports from Cyvers Alerts, the breach involved suspicious transactions targeting the Li.Fi protocol through a specific contract address.

Users have been strongly advised to revoke their approvals for the address: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae, to prevent further losses.

Meir Dolev, co-founder and Chief Technology Officer at Cyvers, emphasized the risk of such approvals, stating,

“Hackers can exploit these approvals to drain both assets stored in the contracts and funds in the connected wallets of users.”

In a tweet after Cyvers notification, the Li.Fi protocol team warned users not to interact with Li.Fi-powered applications until further notice and also provided a list of additional addresses to revoke for those who had manually set infinite approvals:

• 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
• 0x341e94069f53234fE6DabeF707aD424830525715
• 0xDE1E598b81620773454588B85D6b5D4eEC32573e
• 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68

As of now, the hackers have drained approximately $10 million in cryptocurrency, and the exploit has extended to the Arbitrum blockchain. This incident highlights the inherent risks of granting approvals to smart contract wallets.

Regarding this, Dolev also stressed and reiterated the risks and the need for vigilance among users and developers.

Recent Attacks in the DeFi Space

This attack on Li.Fi is part of a series of recent breaches within the DeFi space.

Recently, Pike Finance experienced significant losses due to a smart contract vulnerability , resulting in $1.6 million in stolen funds over three days.

The first major exploit occurred on April 30, with an attacker draining over $1.68 million across Ethereum, Arbitrum, and Optimism chains by changing the output address in the smart contract.

This attack followed a similar exploit on April 26, where $300,000 was stolen.

Similarly, Dough Finance lost $1.8 million in digital assets due to a flash loan attack on July 12. The attacker used Railgun’s zero-knowledge protocol to swap stolen USD Coin for 608 ETH.

Further analysis by Olympix revealed that the exploit resulted from unvalidated calldata in the “ConnectorDeleverageParaswap” contract. This failure allowed the attacker to manipulate the data during flash loan calls.

These attacks are part of a broader trend in the crypto space.

Over $1 billion in digital assets were lost in the first half of 2024 due to various security incidents, including phishing attacks and private key compromises. In Q2, over $688 million was lost across 184 on-chain security breaches .

Despite these challenges, the crypto market has shown resilience, achieving a record recovery rate of 77% for stolen funds in the second quarter of 2024, with $347.4 million recovered or frozen out of $512.9 million lost.

However, cryptocurrency scams continue to thrive, especially on X (formerly Twitter), where nearly $50 million is lost monthly due to account impersonation.