Smart Contract Exploit Drains $600,000 From Li Finance Protocol

Blockchain 2 4
  • The swap aggregator, Li Finance, has experienced a smart contract exploit that led to a total loss of approximately $600,000.
  • The attack drained varying amounts of 10 different tokens from 29 users’ wallets.
  • 25 of the 29 wallets that were hit in the attack have been reimbursed from treasury funds for their losses.

The latest DeFi exploit sees $600,000 stolen from the Li Finance protocol. The swap aggregator, Li Finance, has experienced a smart contract exploit that led to a total loss of approximately $600,000 from 29 users’ wallets.

The exploit occurred on Sunday at 2:51 am UTC. The attacker was able to penetrate Li Finance protocol and gain “infinite approval”. As a result, the hacker was able to drain varying amounts of 10 different tokens from users’ wallets.

Amongst the stolen tokens were USD Coin (USDC), Rocket Pool (RPL), Polygon (MATIC), Gnosis (GNO), Metaverse Index (MVI), Tetner (USDT), Audius (AUDIO), Jarvis Reward Token (JRT), AAVE (AAVE) and DAI (DAI).

After learning about the exploit at 2:15pm, 12 hours later, the team had shut down all swapping functions on the platform with the intention of preventing any further losses.

A post mortem detailing the events of the exploit was issued by the team at 2:50 am UTC Monday. According to the team, the attacker had swapped the stolen tokens for about 205 Ether (ETH), valued at approximately $600,000 at the time. The stolen ETH had yet to be moved from the attacker’s wallet.

The LiFi team also assured users that the bug had been identified and patched.

25 of the 29 wallets that were hit in the attack have been reimbursed from treasury funds for their losses. However, the 25 wallets that were reimbursed only accounted for $80,000, or 13% of the total value lost. The owners of the remaining four wallets have been contacted and offered a deal to compensate them by honoring their losses as angel investors in the protocol.