LI.FI announced on a blog post on March 20 about a smart contract vulnerability that cost 29 wallets over $600 000. According to the released information, the cybercriminal took advantage of the swapping smart contract the platform leverages before bridging. Additionally, the attacker accessed their token contract directly, bypassing the normal process and nullifying the swapping.
Immediately after being informed of the attack, the platform took steps to investigate the incident and inform its users on Twitter. It went on to assure its users that 25 out of the 29 wallets have already received reimbursements for the stolen token. More information on the alert reveals that several tokens, including MTIC, DAI, USDT, USDC, AAVE, RPL, and more were part of the compromised digital assets.
LI.FI also reassured the remaining four users that their settlement would come soon after an agreement on the best way to do so. The 25 wallets, which make up for 86% of the compromised wallets, lost about $80 000. The four wallets lost about $517 000 in total, which could be a liability to the platform’s capital if immediately settled. For this reason, LI.FI was prompted to delay this while finding the best ways around reimbursing the four users.
The attacker carried out the breach at 0251 HRS +UTC, getting away with approximately 205 ETH worth of different tokens. The said individual tok advantage of the users who had given infinite approval to the swapping smart contract, leaving them vulnerable at the time. The attacker later swapped all stolen tokens to Ether, holding them in their wallet.
The bridge acts as a connection for users to favorable decentralized exchanges that suit their needs. The platform considers the fees, safety, transaction speeds, decentralization, and more factors before settling on a DEX. The cybercriminal exploited the new smart contracts LI.FI had developed before their audits, to enable destination swaps.
However, as soon as the platform received the alert, it disabled swapping to prevent further losses. Furthermore, it contacted the attacker with an offer for a bounty and keeping their identity private. LI.FI is yet to receive a response from the attacker, going on to plead with them on the said blog post.
It recognizes its shortcomings in ensuring the contracts were safe enough for users due to a delayed auditing process. Nonetheless, it started working on the perfect fix for its system to ensure that none of its users suffer such a vulnerability in the future.
Also, it highlighted its dedication to providing a proper user experience, which led to its acceptance of the need for better security protocols in its ecosystem. To counter the effects of the attack, the platform has taken measures to locate and fix the vulnerability.
After the reimbursement of the rest, the four remaining users have an option to settle on an angel investment in place of the lost funds. If that is not their wish, the system will take the necessary steps to ensure the full settlement of their funds.
Image by Darwin Laganzon from Pixabay
Don’t worry, we hate spam too
one weekly digest, just the important stuff.