Decentralized exchange aggregator (DEX) Li.Finance experienced an exploit on its smart contract that saw swapping-before-bridging functionality compromised.
The attacker did not manage to perform swaps but did enable token contracts to be called in the context of the LI.FI smart contract, exposing those who gave infinite approval to the LI.FI smart contract.
The exploit occurred at 02:51 AM UTC, with approximately $600K (205 ETH) stolen from 29 wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI.
The tokens stolen were stolen from users’ wallets based on which token contracts they had given approval, and were later converted to ETH
The tokens remain in the hacker’s wallet, with LI.FI reaching out to discuss the return of user funds and a potential bounty.
LI.FI reimburses affected users
LI.FI fixed the weakness in their smart contract and compensated the majority of affected users within 18 hours. They also disabled infinite token approvals by default. Twenty-five out of 29 wallets were reimbursed $80K, while the remaining wallets could not be reimbursed directly without LI.FI experiencing serious financial repercussions.
“In order to reduce our treasury damage, we are offering to transform the lost funds into an angel investment into LI.FI and thus, future LI.FI tokens under the same terms as our investors in the current funding,” they said in a post-mortem blog post.
Affected users are not compelled to agree to this, and should they reject the offer, they will be reimbursed.
What is LI.FI?
LI.FI is a DEX aggregator that is a middle layer between DeFi infrastructure and the application layer. The DEX aggregator is like a search engine of sorts.
Typically, liquidity providers contribute coins to a liquidity pool in a decentralized exchange. Users can swap tokens, for example, ETH for Basic Attention Token, where the price of Basic Attention Token is set by the volume in the pool. The greater the volume, the lower the price in ETH to buy BAT.
A DEX aggregator collects data from a wide array of decentralized exchanges to facilitate “split trades,” offering users the best possible prices for swaps by performing complicated calculations on their behalf. As liquidity varies from one DEX to another, the price of tokens will vary.
LI.FI said in conclusion, “As builders in the space, it is our responsibility to ensure that users’ funds are safe above else. Our users can rest assured that the audit is happening and LI.FI is safe to use.”
stealing approximately $600K (205 ETH) from 29 wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. The tokens stolen were stolen from users’ wallets based on which token contracts they had given approval, and were later converted to ETH. The tokens remain in the hacker’s wallet, with LI.FI reaching out to discuss the return of user funds and a potential bounty.
LI.FI reimburses affected users
LI.FI has fixed the weakness in their smart contract and compensated the majority of affected users within 18 hours. They also disabled infinite token approvals by default. Twenty-five out of 29 wallets were reimbursed $80K, while the remaining wallets could not be reimbursed directly without LI.FI experiencing serious financial repercussions. “In order to reduce our treasury damage, we are offering to transform the lost funds into an angel investment into LI.FI and thus, future LI.FI tokens under the same terms as our investors in the current funding,” they said in a post-mortem blog post. Affected users are not compelled to agree to this, and should they reject the offer, they will be reimbursed.
What is LI.FI?
LI.FI is a DEX aggregator that is a middle layer between DeFi infrastructure and the application layer. The DEX aggregator can be thought of as a search engine of sorts. Typically, liquidity providers contribute coins to a liquidity pool in a decentralized exchange. Users can swap tokens, for example, ETH for Basic Attention Token, where the price of Basic Attention Token is set by the volume in the pool. The greater the volume, the lower the price in ETH to buy BAT.
A DEX aggregator collects data from a wide array of decentralized exchanges to facilitate “split trades,” offering users the best possible prices for swaps by performing complicated calculations on their behalf.
As liquidity varies from one DEX to another, the price of tokens will vary.
LI.FI said: “As builders in the space, it is our responsibility to ensure that users’ funds are safe above else. Our users can rest assured that the audit is happening and LI.FI is safe to use.”
Disclaimer
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.