On July 16, 2024, an $11.6 million security breach in the LiFi protocol set off alarms in the cryptocurrency community. The breach occurred due to a vulnerability in a new facet of the smart contract, allowing hackers to exploit user self-custodial wallets that had set infinite token approvals. The breach impacted 153 wallets across Ethereum and Arbitrum blockchains, draining assets like USDC, USDT, and DAI. The LiFi team swiftly responded by disabling the vulnerable facet across all chains and advised users to revoke approvals for compromised contract addresses.
The vulnerability that led to the breach was a result of an oversight during the deployment of the new facet. Callers to the contract were able to make arbitrary calls to any contract without validation, enabling them to interact with decentralized exchanges, fee collectors, and other entities before sending funds to a user. While other facets of the LiFi contract included validation against approved contract addresses and functions, this critical step was missing in the new facet due to human error.
To recover the stolen assets and address the broader impact, LiFi is collaborating with law enforcement and security teams to trace and attempt to recover the funds. The team is exploring options to compensate affected users with support from major investors. Wallet holders affected by the breach are encouraged to complete a form provided by the LiFi team for direct communication. Additionally, LiFi has implemented several security measures, aligning with NIST guidelines, including audits, bug bounties, incident response frameworks, and security assessments of third-party systems.
The security incident at LiFi is part of a troubling trend of increasing security breaches in decentralized finance (DeFi). Recent attacks on Dough Finance and Pike Finance have highlighted vulnerabilities in smart contracts and protocols. Moreover, a leading Indian crypto exchange, WazirX, was recently drained of $235 million in suspicious transactions linked to the Lazarus Group, a notorious hacking group associated with previous high-profile attacks in the crypto industry. The UN has investigated a $3 billion attack linked to the same group earlier in the year.
In the first half of 2024 alone, over $1 billion in digital assets were lost due to various security incidents like phishing attacks and private key compromises. The LiFi incident underscores the importance of stringent security measures and thorough review processes in the deployment of smart contracts and protocols. LiFi continues to work with security experts to enhance its security and prevent future incidents, demonstrating a commitment to safeguarding user assets and maintaining trust in the DeFi space.
