Protocol users suffered losses worth $600,000 as a result of the attack but have mostly been reimbursed since then.
Hacker Targets Swapping Feature
Barely a week after Deus Finance was exploited, Li Finance fell victim to a DeFi attack. In a vulnerability post mortem report released by the Li.Fi team, $600,000 worth of tokens were stolen from 29 wallets with a bug that exploited Li.Fi’s smart contract by targeting the swapping feature. As a result of this, instead of performing swaps before bridging, they were able to call token contracts directly. Therefore, anyone giving infinite approval to the contract fell vulnerable to the exploit. The tokens stolen were USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI, which the hacker exchanged for ETH and has been holding on to, since then.
Li.Fi Issues Reimbursement, Fixes Bug
The announcement also clarified that upon being notified of the exploit, the swap function was immediately disabled. Soon after, the team developed a fix to ensure a non-repeat of the exploit, which was then communicated to the community. The team also announced that while 25 out of the 29 wallets affected have been reimbursed (for around $80K), the remaining four wallets will be specially rewarded. In order to maintain the Li.Fi treasury, the owners of these four wallets (which amounted to around $517K), will be given an opportunity to turn the lost funds into an angel investment into the DeFi. However, the team has left the final decision up to the wallet owners and has reached out to present this offer to them.
Taking Responsibility In The Aftermath
The team has been extremely transparent about the entire ordeal, even going as far as taking full responsibility for the exploit.
They said,
“We apologize to all parties affected by this exploit and take full responsibility for taking care of the reimbursements…By not finishing an audit earlier, we neglected our duty to offer the highest security possible. Our mission is to maximize UX, and now we have painfully learned that our security measures must drastically improve to follow this ethos.”
DeFi attacks are becoming more and more frequent. Less than a week ago, Deus Finance also fell to a flash loan attack by hackers who manipulated a price oracle and stole around $3 million worth of tokens. The funds were then funneled through the coin mixer tool Tornado Cash and then siphoned away by the hackers.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Source: https://cryptodaily.co.uk/2022/03/li-finance-hacked-in-latest-defi-attack