Hack Explained - LiFi Protocol

RivanorthRivanorth
2 min read

LiFi, a multi-chain liquidity aggregation protocol, experienced a major security breach, resulting in a loss of approximately $10 million. The primary cause of this breach was a vulnerability associated with infinite approvals, which allowed attackers to drain funds from users' wallets.

Behind the Breach

The hack on LiFi occurred due to a critical vulnerability in their smart contract. The exploit specifically targeted accounts with infinite approval settings, enabling the attacker to execute arbitrary transactions and transfer funds out of users' wallets. The vulnerability was introduced by a new contract facet, which allowed the internal swap() function to call any address with the message passed by the attacker. This function then executed transferFrom() operations on the approved funds, leading to the unauthorised transfers.

Once the team identified the exploit, they promptly shut down all swapping functions and advised users to revoke permissions. On-chain data revealed that the hacker converted the stolen assets, including USDC and USDT, into ETH across various chains like Ethereum and Arbitrum.

Lessons from the Incident

It's not the first time infinite approval settings lead to big hacks, earlier this year the hack on Socket was caused by the same vulnerability class. That's why it's so important in Web3 that we learn and study past hacks, if you want to read up on it you can find the full article here.

This is how these attacks can be prevented:

  • Regular Security Audits: Continuous and thorough auditing of smart contracts by multiple independent firms can help identify and patch vulnerabilities before they are exploited.

  • Limiting Approvals: Avoiding infinite approvals and instead using limited allowances can reduce the risk of unauthorised transactions.

  • User Education: Educating users about the risks of infinite approvals and providing tools to easily revoke permissions can enhance overall security.

Rivanorth is a boutique Web3 cybersecurity company.

We specialise in smart contract audits and 360 degree security services for Web3.

Visit https://rivanorth.com/ to find out more.

You build the future. We help you secure it.

0
Subscribe to my newsletter

Read articles from Rivanorth directly inside your inbox. Subscribe to the newsletter, and don't miss out.

BlockchainCryptocurrencyWeb3hackingsecurity breach

Written by

Rivanorth
Rivanorth

State of the art Cybersecurity services, always a step ahead. You build the future. We help you secure it.