A Sunday hack on the Li Finance (LiFi) protocol (DeFi) has seen about 29 of its users suffer losses amounting to nothing less than $600,000.
According to reports, the hack took place at around 2:51 am UTC on Sunday. The hacker had exploited a bug in the project’s smart contract, giving him access to wallets that have granted the Li Finance protocol ”infinite approval”. In all, about 10 different tokens were extracted from the affected wallets.
Some of the stolen tokens include Polygon (MATIC), Gnosis (GNO), USD Coin (USDC), Rocket Pool (RPL), Audius (AUDIO), Tether (USDT), Metaverse Index (MVI), AAVE (AAVE), DAI (DAI), and Jarvis Reward Token (JRT).
Li Finance Shuts Down All Swapping Functions
Meanwhile, since about some 12 hours later, the Li Finance team has shut down all swapping functions on its platform. And reasonably so, if they are to prevent any further losses.
According to the official statement of the swap aggregator, the attacker swapped all the stolen tokens for about 205 Ether (ETH). That is estimated to be around $600,000. But as at press time, the stolen ETH is yet to be recovered from the attacker’s wallet. Although, LiFi is also confirming to users that the bug that caused the leak has now been identified and fixed.
Furthermore, 25 out of the 29 wallets that were affected in this attack have been refunded from treasury funds. However, those 25 only accounted for $80,000, or 13% of the entire loss.
The owners of the remaining four wallets on the other hand, who lost a combined $517,000 have also been contacted. Interestingly, they are being offered deals to become angel investors in the protocol. This means that they would receive LiFi tokens in an amount equalling their losses. And with this, damage to the platform’s treasury can be reduced.
DeFi Hacks Common Risks
The LiFi hack is the most recent in the decentralized finance (DeFi) sector. But it also further demonstrates the risks attached to giving infinite approvals to smart contracts. What exactly does this mean? It means that infinite approvals allow users to transact at a decentralized exchange (DEX) without limitations or any more authorization. And because of this, attackers have continued to enjoy more liberty to exploit.
Unfortunately for Li Finance however, the attack came barely a week away from its planned audit.
Meanwhile, the Li Finance team has also reached out to the hacker, offering a bug bounty to return the funds.