Li.Fi releases incident report following $11M hack
A vulnerability in the code allowed users calling the smart contract to initiate calls to any contract without prior validation
Following the $11.6 million exploit of the Li.Fi protocol, an API used to bridge and swap digital assets across blockchains, the Li.Fi team released an update outlining the technical details of the breach.
According to the security update, the deployment of a new smart contract facet was ground zero for the malicious attack. A vulnerability in the code allowed users calling the smart contract to initiate calls to any contract without prior validation.
This function is a result of code taken from the LibSwap library, used to facilitate calls between decentralized exchanges, service providers, and clients to coordinate the asset bridging and swapping processes.
Normally, these calls are screened against whitelisted addresses to ensure validation. However, Li.Fi explained that human error in deploying the offending smart contract facet was the root cause of the vulnerability exploited by the malicious actor.
The Li.Fi team confirmed the attack occurred on the Ethereum and Arbitrum networks and affected 156 wallets with the “infinite approvals” option turned on. Users without this option turned on were not affected by the exploit.
