What assets were stolen in the LI.FI breach?

The stolen assets included USDC, USDT, and DAI, with a total estimated theft of $11.6 million.

What measures is LI.FI taking to recover the stolen funds and assist affected users?

LI.FI is working with law enforcement and industry security teams to trace and recover the stolen funds. They are also evaluating options to compensate affected users and have provided a form for direct contact and assistance.

What security measures has LI.FI implemented to prevent future breaches?

LI.FI has implemented several security measures, including multiple audits by various firms, a monthly retainer with an auditing firm, backend infrastructure and API pen-testing by external security firms, bug bounty programs, an incident response framework, extensive security assessments of integrated third-party systems, and multiple security policies in line with NIST standards.

What steps is LI.FI taking to improve its deployment review process?

LI.FI is reassessing its deployment review process to prevent similar incidents in the future and is collaborating with security experts to improve policies, providing updates as progress is made.

Advisory

Li.Fi decentralized finance platform reports cyberattack and theft of $11M

Q: What security breach did LI.FI experience on July 16, 2024?

On July 16, 2024, LI.FI experienced a significant security breach shortly after integrating a new smart contract facet, leading to an estimated theft of $11.6 million.

Q: How did the attacker exploit the vulnerability in LI.FI's system?

The attacker exploited a vulnerability that allowed them to access user self-custodial wallets with infinite token approval for the LI.FI contract, leading to the theft of assets from 153 wallets across the Ethereum and Arbitrum networks.

Q: What was the root cause of the LI.FI security breach?

The root cause of the breach was identified as a deployment oversight, where callers to the contract could make arbitrary calls to any contract without validation due to a missing whitelist check in the new facet.

published: July 18, 2024

Learn More

LI.FI reports that on July 16, 2024, they were hit by a significant security breach shortly after integrating a new smart contract facet. LI.FI is a decentralized finance (DeFi) platform designed to facilitate cross-chain bridging and decentralized exchange (DEX) aggregation. It offers users the ability to seamlessly swap and bridge digital assets across various blockchain networks.

The vulnerability allowed an attacker to access user self-custodial wallets with infinite token approval for the LI.FI contract, leading to an estimated theft of $11.6 million. The breach affected 153 wallets across the Ethereum and Arbitrum networks, with stolen assets including USDC, USDT, and DAI.

Upon detecting the breach, LI.FI's incident response team disabled the vulnerable facet on all chains. The team identified the root cause as a deployment oversight, where callers to the contract could make arbitrary calls to any contract without validation, a feature provided by the LibSwap library. Typically, these calls are validated against a whitelist of approved contract addresses and functions, but this check was missing in the new facet due to human error.

LI.FI is prioritizing the recovery of user assets, working with law enforcement and industry security teams to trace and recover the stolen funds. Additionally, LI.FI, with backing from major investors, is evaluating options to compensate affected users. Affected wallet holders are encouraged to complete a provided form for direct contact and assistance.

LI.FI is committed to enhancing its security measures and has implemented several policies, including:

Multiple audits by various firms
Monthly retainer with an auditing firm for review of changes
Backend infrastructure and API pen-testing (Whitebox & Blackbox) by external security firms
Bug bounty programs
Incident Response Framework
Extensive security assessments of integrated third-party systems
Multiple security policies in line with NIST standards

The team has begun reassessing the deployment review process to prevent similar incidents in the future. Continuous collaboration with security experts is underway to improve policies, and updates will be provided as progress is made.

Li.Fi decentralized finance platform reports cyberattack and theft of $11M