LiFi Protocol Releases Post-Mortem Report on Recent $11.6 Million Hack

cryptonews.com:

On July 16, 2024, the LiFi protocol experienced a severe security breach, resulting in the loss of approximately $11.6 million in cryptocurrencies. The incident occurred shortly after the deployment of a new smart contract facet.

A vulnerability within this new facet allowed attackers to exploit user self-custodial wallets that had set infinite token approvals.

Hackers exploited vulnerabilities caused by approvals to drain $10 million from LiFi protocol.#lifi #defihttps://t.co/VSL4VBJhH7

— Cryptonews.com (@cryptonews) July 16, 2024

Following the attack on July 16 , the team released a post-mortem report detailing the breach process and method.

Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo

— LI.FI (@lifiprotocol) July 18, 2024

According to the report, the breach impacted 153 wallets across the Ethereum and Arbitrum blockchains, draining assets including USDC, USDT, and DAI.

Notably, the vulnerability did not affect finite approvals, which is the default setting within the LiFi API, SDK, and widget.

Upon detecting the breach, the LiFi team activated their incident response plan, swiftly disabling the vulnerable facet across all chains to contain the threat.

The team also advised users to revoke approvals for the compromised contract addresses, specifically:

The vulnerability arose due to an oversight during the deployment of the new smart contract facet. Callers to the contract were able to make arbitrary calls to any contract without validation.

This capability, provided by the LibSwap library, facilitated making calls to multiple decentralized exchanges (DEXs), fee collectors, and other entities before bridging or sending funds to a user.

Whil