LiFi Protocol Releases Post-Mortem Report On Recent $11.6 Million Hack

• Following the LiFi Protocol $11.6 million hack attack on July 16, the team released a post-mortem report detailing the breach process and method.

On July 16, 2024, the LiFi protocol experienced a severe security breach, resulting in the loss of approximately $11.6 million in cryptocurrencies. The incident occurred shortly after the deployment of a new smart contract facet.

A vulnerability within this new facet allowed attackers to exploit user self-custodial wallets that had set infinite token approvals.

LiFi Protocol Report Note The Depth of Security Breach

Following the attack on July 16, the team released a post-mortem report detailing the breach process and method.

Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo

— LI.FI (@lifiprotocol) July 18, 2024

According to the report, the breach impacted 153 wallets across the Ethereum and Arbitrum blockchains, draining assets including USDC, USDT, and DAI.

Notably, the vulnerability did not affect finite approvals, which is the default setting within the LiFi API, SDK, and widget.

Upon detecting the breach, the LiFi team activated their incident response plan, swiftly disabling the vulnerable facet across all chains to contain the threat.

The team also advised users to revoke approvals for the compromised contract addresses, specifically:

• 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
• 0x341e94069f53234fE6DabeF707aD424830525715
• 0xDE1E598b81620773454588B85D6b5D4eEC32573e
• 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68.

The vulnerability arose due to an oversight during the deployment of the new smart contract facet. Callers to the contract were able to make arbitrary calls to any contract without validation.

This capability, provided by the LibSwap library, facilitated making calls to multiple decentralized exchanges (DEXs), fee collectors, and other entities before bridging or sending funds to a user.

While other facets of the LiFi contract included validation against a whitelist of approved contract addresses and functions, this critical step was missing in the new facet due to a human error.

Recovery Efforts and Broader Impact

LiFi is prioritizing the recovery of the stolen assets following the recent security breach.

The team is collaborating with law enforcement authorities and industry security teams to trace and attempt to recover the funds.

Additionally, with support from major investors, LiFi is exploring options to fully compensate affected users.

Wallet holders impacted by the breach are encouraged to complete the provided form in the announcement for direct communication with the LiFi team.

Important update for affected users:

Our team will start contacting users starting tomorrow with details on a voluntary compensation scheme we are currently working on.

To participate in the compensation scheme, please complete the form below https://t.co/i8joNc6rbt

— LI.FI (@lifiprotocol) July 18, 2024

Furthermore, to enhance security, LiFi has implemented several additional measures, including multiple audits, maintaining an auditing firm on retainer, backend infrastructure and API penetration testing, bug bounties, an incident response framework, and extensive security assessments of integrated third-party systems.

These steps are aligned with the National Institute of Standards and Technology (NIST) guidelines.

The breach, attributed to human error, has prompted LiFi to reassess and improve its deployment review process to prevent future incidents.

According to the report, the LiFi team continues to work with security experts and will provide updates as they progress in enhancing the protocol’s security.

This incident is part of a troubling trend of increasing security breaches in decentralized finance (DeFi). Recent attacks include Dough Finance’s $1.8 million flash loan attack and Pike Finance’s significant losses due to a smart contract vulnerability.

Just today, July 18, a leading Indian crypto exchange, WazirX, was drained of $235 million in a series of suspicious transactions later linked to the well-known North Korean Hackers Lazarus Group.

The Lazarus group has been behind major attacks and breaches in the Crypto industry. A recent $305M hack was traced to the group, and the UN also investigated a $3B attack linked to them earlier this year.

In the first half of 2024 alone, over $1 billion in digital assets were lost due to various security incidents, including phishing attacks and private key compromises.