Following the $11.6 million exploit of the Li.Fi protocol, an API used to bridge and swap digital assets across blockchains, the Li.Fi team released an update outlining the technical details of the breach.

According to the security update, the deployment of a new smart contract facet was ground zero for the malicious attack. A vulnerability in the code allowed users calling the smart contract to initiate calls to any contract without prior validation.

This function is a result of code taken from the LibSwap library, used to facilitate calls between decentralized exchanges, service providers, and clients to coordinate the asset bridging and swapping processes.

Normally, these calls are screened against whitelisted addresses to ensure validation. However, Li.Fi explained that human error in deploying the offending smart contract facet was the root cause of the vulnerability exploited by the malicious actor.

The Li.Fi team confirmed the attack occurred on the Ethereum and Arbitrum networks and affected 156 wallets with the “infinite approvals” option turned on. Users without this option turned on were not affected by the exploit.

Source: Li.Fi protocol

In statements to Cointelegraph, spokespeople for Li.Fi said they contained the exploit, addressed the critical vulnerability, and contacted the proper law enforcement authorities to trace stolen funds. At the time of this writing, the issue has been fixed, and Li.Fi is operating normally.

Not the first time

In March 2022, Li.Fi was hit by a similar exploit affecting users with the “infinite approval” option turned on. The hackers drained $600,000 from the protocol from 29 wallets before the vulnerability was addressed.

The protocol was quick to reimburse investors for their losses, refunding 24 wallets directly from its treasury and offering the remaining five wallets a voluntary compensation plan akin to that received by early angel investors of Li.Fi.

Crypto hacks put the damper on the industry in 2024

Unfortunately, hacks and exploits continue to plague the crypto industry and the decentralized financial sector, in particular.

A chart comparing 2022-2024 losses from crypto hacks. Source: TRM.

According to a recent report from security firm Cyvers, 2024 losses from crypto exploits are nearing $1.4 billion, driven primarily by phishing attacks, and have risen sharply since 2023.