- ~$600K has been stolen from 29 wallets, and 25/29 wallets have been reimbursed while the rest of the wallets team wants to offer something special.
- Bug has been fixed, so now users don’t have to do anything.
So LI.FI Protocol was attacked, and the attacker succeeded in stealing about 600,000 from 29 wallets. However, the protocol has completed the repair of the contract. Team has also contacted the hacker. Here is the link to hacker’s wallet. But as of now, there has been no response from the hacker.
An attacker exploited the protocol’s smart contract, targeting swapping feature which allows performing swaps before bridging. As soon as the team was notified of the exploit, they disabled all of the swap methods and started working on a fix.
Now its time to explain the problem in more detail. So firstly, its internal
swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract
transferFrom() out the funds from anyone who had approved the contract. Since the contract was designed to make multiple swaps in a single transaction, the attacker sent a single huge transaction with a wall of transferFrom’s for the contract to send, each moving money from a user that had approved the contract to the attacker.
The team has apologized to all its users for this exploit and taken full responsibility. In addition, the team has accepted that they have neglected their duty to offer the highest security possible by not finishing an audit earlier. But users can now rest assured as the audit is happening.