The latest DeFi protocol hack involves Li Finance. On Sunday, March 20, a hacker’s exploit of the platform’s contract led to the loss of tokens valued at $600,000. In a swift reaction, the protocol platform reimbursed the owners of some of the wallets and has made provision to compensate others.
Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. pic.twitter.com/NA3xW7ReUd
— Daniel Von Fange (@danielvf) March 20, 2022
https://platform.twitter.com/widgets.js
Wallets Granted Infinite Approval To Protocol
According to a Cointelegraph report, the smart contract exploit, which took advantage of a bug in the code, affected 29 users of the LiFi protocol. It states that the attack which took place on Sunday, extracted tokens from wallets that gave permission to the platform. These wallets that had granted what it termed infinite approval from the platform had 10 different tokens stolen from them.
TLDR:
• ~$600K have been stolen from 29 wallets
• User don’t have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs— LI.FI – Any-2-Any Swaps (🦎,🦎) (@lifiprotocol) March 21, 2022
https://platform.twitter.com/widgets.js
The tokens that were extracted in the exploit are Gnosis (GNO), USD Coin (USDC), Polygon (MATIC), Metaverse Index (MVI), Rocket Pool (RPL), Tether (USDT), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI (DAI).
The team disabled token swapping when they discovered the exploit 12 hours later. After reviewing that hack, the team discovered that the attacker swapped the coins for 205 ETH which is worth about $600,000.
Reached Our To Hacker
The team has already reimbursed 25 of the 29 wallet owners who lost about $80,000. The other four wallets that their owners lost $517,000 have been offered deals as angel investors in the protocol. The arrangement would give them the same benefits as the original angel investors in the platform. The hacker was also contacted to return the funds for a bug bounty reward.
