Li.Finance, a decentralised exchange (DEX) based in Germany, has had one of its smart contracts exploited, resulting in 29 users losing an estimated US$600,000 worth of various assets. The vulnerability has since been fixed and the majority of the affected users reimbursed.
According to the Li.Finance postmortem, on March 20 an attacker exploited a contract responsible for pre-bridge swaps and was able to steal an estimated 200 ETH in a single transaction:
The affected 29 wallets were emptied of a variety of tokens, with the attack based on wallets that had their token contracts set to give infinite approvals. The tokens included were USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. They were all converted to ETH and are still sitting in the hacker’s wallet.
Bug Bounty Option Ignored
The protocol also gave the hacker the option to claim a bug bounty, but there has been no response. The writer added in the post: “If you are reading this, we would be extremely grateful to provide a generous bounty and would obligate ourselves not to disclose any information about your identity.”
Li.Fi Being a Nice Guy
The official post stated that the vulnerability had since been patched and the majority of affected users compensated within 24 hours. Out of the affected 29 wallets, 25 have been reimbursed for a total of US$80,000.
Owners of the remaining US$517,000 owed to four wallets have been given the option to transform the lost funds into an angel investment into Li.Fi, and thus future LI.FI tokens will be given to them under the same terms as an investor in the current funding round. Doing it this way reduces the damage to the platform’s treasury and also allows users to recover their investment with “an opportunity that would not be possible otherwise with huge upside potential”.
Importance of Audits and Security in DeFi
According to Li.Finance CEO Philipp Zentner, the platform was only a week away from its scheduled security audit. The audit might have been able to catch the bug before it was exploited, but nothing is assured:
This exploit has provided another example of why security must be of utmost importance. As builders in the space, it is our responsibility to ensure that users’ funds are safe above [all] else. Our users can rest assured that the audit is happening and LI.FI is safe to use
Li.Finance postmortem
This latest hack demonstrates how giving infinite approvals to smart contracts can potentially open up a user’s funds to a greater amount of risk. Infinite approvals allow users to swap coins at a decentralised exchange an unlimited amount of times without needing any further approval.
Earlier this month, Deus Finance also suffered an attack that cost the protocol US$3 million, following closely on the heels of the Fantasm Finance hack that cost the project US$2.6 million. The importance of security cannot be understated in the space; according to the 2021 Chainalysis Crypto Crime report, crypto stolen from DeFi has increased 1,330 percent since 2020.
Disclaimer:
The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.
Credit: Source link
