LiFi Protocol, an asset swap and bridge platform suitable with Solana and EVM chains, has been exploited for about $10 million.
The DeFi platform acknowledged the breach however didn’t reveal the precise quantity misplaced. It urged neighborhood members to keep away from interacting with its system.
It wrote:
“Please don’t work together with any LIFI powered purposes for now! We’re investigating a possible exploit. If you happen to didn’t set infinite approval, you aren’t in danger. Solely customers which have manually set infinite approvals appear to be affected.”
$10 million drained
On July 16, Cyvers Alert, a web3 safety platform, reported suspicious transactions involving a LiFi sensible contract.
The platform revealed that these transactions led to losses of about $10 million in person belongings—together with $6.3 million in USDT, $3.1 million in USDC, and round $170,000 in DAI stablecoin—throughout varied blockchain networks, together with the Ethereum layer-2 community Arbitrum.
Blockchain analyst Lookonchain reported that the stolen stablecoins have been exchanged for two,857 ETH, equal to $9.7 million, and distributed to a number of wallets.
Meir Dolev, co-founder and chief expertise officer at Cyvers, informed CryptoSlate:
“The incident highlights the hazards of giving pockets approvals to sensible contracts. It’s essential for protocols to remain alert, as hackers can reap the benefits of these approvals to steal each belongings within the contracts and funds in customers’ linked wallets.”
One other Blockchain safety agency, Blockaid, defined that the foundation of the assault was exploiting the platform’s proxy implementation. It added:
“The attackers have managed to use a vulnerability within the proxy implementation, the place an attacker is ready to inject operate name to the contract – a capability they’ve then used to inject transferFrom calls on authorised customers.”
Notably, blockchain safety agency Peckshield identified that the Li.Fi platform suffered the same assault in March 2022. At the moment, Li.Fi mentioned the attacker exploited its sensible contract by means of a swapping function that calls token contracts straight as a substitute of performing precise swaps.
In the meantime, the assault has led to the spreading of a number of phishing rip-off hyperlinks on social media, urging customers to “revoke” their entry to the platform by way of suspicious hyperlinks.