Li Finance swap aggregator has experienced a smart contract exploit, lost $600,000
Li Finance is the latest victim of smart contract mining, which resulted in the loss of $600,000 from the wallets of 29 users.
Users of the Li Finance (LiFi) protocol have suffered losses amounting to approximately $600,000
The mining took place at 09:51 am on March 20, 2022. The attacker extracted quantities of 10 different tokens from wallets that allow “infinite acceptance” to the Li Finance protocol. Among the stolen tokens are USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI (DAI).
• 25/29 wallets have been reimbursed immediately — the rest we want to offer something special (alternatively normal reimbursement) and reached out via Twitter & transactions
• We contacted the hacker pic.twitter.com/mKFdQkGBUR— LI.FI – Any-2-Any Swaps (🦎,🦎) (@lifiprotocol) March 21, 2022
When the matter reached the team (around 21:15 on March 20, 2022), they closed all platform swap functions to prevent further losses. Then, at 09:50 am this morning, the team investigated the events involved in detail. They found the attacker had exchanged the stolen tokens for 205 Ether (ETH), totaling around $600,000. At the time of writing, the stolen ETH has not yet been moved from the attacker’s wallet. LiFi also assures users that the bug has been identified and patched is complete.
Of the 29 hacked wallets, 25 were refunded from the treasury for the losses. Those 25 wallets represent just $80,000, or 13% of the total loss value. The owners of the remaining four wallets, who have lost 517,000 USD, have been contacted and offered a settlement agreement that they will be treated as angel investors in the protocol. Specifically, they will receive LiFi tokens on the same terms as other angel investors with an amount equal to their loss. This helps to minimize damage to the platform’s treasury.
Since the contract was designed to make multiple swaps in a single transaction, the attacker sent a single huge transaction with a wall of transferFrom’s for the contract to send, each moving money from a user that had approved the contract, to the attacker: pic.twitter.com/KHl6McD8x8
— Daniel Von Fange (@danielvf) March 20, 2022
The hackers have also been contacted and offered a bounty to ask them to return the money.
Read more:
- Collectors Of Rare Bears Have Lost Around $790,000 Worth Of NFTs And Other Crypto In A Phishing Attack
- Hundred Finance Suffered The Attack On March 16, Losing 2363 ETH, HND Price Drops Immediately