Wednesday 25 May 2022
Home / Africa / Li Finance protocol loses $600,000 in latest DeFi exploit

Li Finance protocol loses $600,000 in latest DeFi exploit

The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets.

The exploit took place at 2:51 am UTC on Sunday. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT) and DAI (DAI).

When the team learned about the exploit 12 hours later at 2:15 pm UTC, it shut down all swapping functions on the platform in order to prevent any further losses.

By 2:50 am UTC on Monday, the team had issued a post mortem detailing the events of the exploit. The team said that the attacker swapped the stolen tokens for a total of about 205 Ether (ETH) valued at roughly $600,000. At the time of writing, the stolen ETH had yet to be moved from the attacker’s wallet. LiFi also assured users that the bug has been identified and patched.

Of the 29 wallets that were hit in this attack, 25 have been reimbursed from treasury funds for their losses. Those 25 wallets only accounted for $80,000, or 13% of the total value lost. The owners of the remaining four wallets that lost a combined $517,000 have been contacted and offered a deal to compensate them by honoring their losses as angel investors in the protocol.

They would receive LiFi tokens under the same terms as other angel investors in an amount equal to their losses from each wallet. This would also help to mitigate the damage to the platform’s treasury.

The hacker was also contacted and offered a bug bounty to return the funds.

The Li Finance team reached out to offer a bug bounty to a hacker.

The attack appears to have come at an unfortunate time. Li Finance CEO Philipp Zentner told Cointelegraph on Monday that “We’re literally a week away from our audit,” adding that “we have multiple companies auditing us.”

Even a thorough audit of the code may not have picked up this particular bug, however, according to a researcher “Transmissions11” at crypto investment firm Paradigm. He explained in a Monday tweet that the error in Li Finance’s code was easy to miss and “subtle if you’re not in the right mindset.”

Related: ‘Unlucky:’ Agave and Hundred Finance DeFi protocols exploited for $11M

This latest hack in the decentralized finance sector demonstrates how giving infinite approvals to smart contracts opens a user’s funds to a greater amount of risk. Infinite approvals allow users to swap coins at a decentralized exchange an unlimited amount of times without needing to approve any more transactions.

About Sean Patterson

Check Also

WEF 2022: Ripple CEO reveals he visited SEC several times before lawsuit struck

Brad Garlinghouse, the CEO of cross-border payments company Ripple, spoke during a panel discussion Monday at the World Economic Forum in Davos, Switzerland. Garlinghouse, who also occupies a role as a member of the company’s board of directors, commented on a wide range of topics, most notably the current status of regulation in the United States versus G20 nations. Ripple CEO Brad Garlinghouse. Source: CointelegraphEmphasising the prudent necessity for regulatory frameworks which serve integral principles of “clarity and certainty", Garlinghouse stated his belief that: “The overwhelming majority of people working within the crypto industry are good actors that want to do right by regulators. But when the rules of the road aren’t clear, it’s very difficult to manage within that.”Later in the conversation, Garlinghouse revealed that he personally went to the U.S. Securities and Exchange Commission (SEC) office "four or five times in the years leading up to their decision to file a law..

Leave a Reply

Your email address will not be published. Required fields are marked *