LiFi Protocol Infinite Approval Facet Swap Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

LiFi Protocol Logo/Homepage

LiFi Protocol is a decentralized swap/bridge aggregation service which assists with swapping assets from one asset to another. After an initial failure in March 2022, the contract was redeployed with limited restriction on the bridges which could be used, and multiple audits were performed. Unfortunately, a subsequent decision enabled a new swap contract which allowed transferring assets to be specified in the swapping function. Users who had granted infinite approvals for any assets were at risk for those assets being drained. $9.73m was drained in a series of rapid transactions. The contract was secured and efforts are still underway to trace and reimburse funds lost.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About LiFi Protocol

"Swap & Bridge Liquidity Across 20+ Chains" "Best price execution for any swap/bridge. One API to swap, bridge, and zap across all major blockchains and protocols. Enable trading across all DEX aggregators, bridges, and intent-systems and save hundreds of developer hours."

"Go to market faster. No integration and maintenance overhead. Benefit from risk mitigation, fail safety and neatless interoperability by a vast amount of underlying protocols (e.g. DEX aggregators & bridges), which LI.FI aggregates."

"Frequent audits, pentests and enterprise-grade security controls. We work intensively with the most trusted organizations in the space to create risk-assessment frameworks and risk-mitigation measures."

"It takes constant research, integration, monitoring and maintenance overhead. A unified data handling allows consistent analytics, debugging and customer support capabilities. You get all of that out of the box."

"Flexible fee structures allow the collection and distribution of fees amongst partners. Automatic fee conversions (depending on which currency the fees were taken in) are included."

"The two founders, Philipp and Max, have already been building companies together for 10 years. With a growing team of 40+ people, we’re obsessed with DeFi infrastructure and aggregating and optimizing the most important parts of it to accelerate the widespread adoption of crypto."

"LiFi has been audited, twice by Spearbit in April 2023 and the other in October 2022. They were also audited by Quantstamp in May 2022 and were part of a Code4ena contest back in March 2022."

The Reality

"No word on the most recent contract facet being audited."

What Happened

"LiFi protocol lost $9.73M to an attack draining addresses that had previously approved infinite permissions to the protocol's contracts across multiple chains."

Key Event Timeline - LiFi Protocol Infinite Approval Facet Swap Exploit
Date Event Description
June 19th, 2024 1:21:59 AM MDT First Fund Transfer Funds are first transfered into the wallet which would be used for the exploit.
July 11th, 2024 4:10:23 AM MDT New Contract Facet Added A new smart contract facet was added to the LiFi protocol, which lacked the proper verification.
July 16th, 2024 6:04:47 AM MDT Exploit Transactions Happening The first smart cotnract involved in the exploit is created. Also, in this same block, assets start being drained from accounts.
July 16th, 2024 6:06:35 AM MDT Further Draining More drainage of wallets who gave approvals to the smart contract, including the transaction mentioned by @pcaversaccio.
July 16th, 2024 6:29:00 AM MDT CertiK Alert Alarm The CertiK team flags an alarm, reporting that $8.7m USD is involved in a series of suspicious transactions. Users are requested to revoke approvals to 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaE. They are still investigating.
July 16th, 2024 7:41:00 AM MDT LiFi Protocol Tweet The LiFi protocol team tweets to request users stop interacting with their products while they investigate a potential exploit. As far as they can tell, only users with infinite approvals are affected, however all users can revoke permissions and are given the smart contract addresses to do so.
July 16th, 2024 9:44:00 AM MDT Smart Contract Disabled The LiFi protocol team tweets to notify that the particular facet which contained the exploit has been contained and disabled. They assure users that there is no further risk, and only users who set infinite approvals were affected.
July 16th, 2024 10:29:00 AM MDT Incident Contained Tweet Jumper Exchange posts a new tweet to notify users that the protocol is now safe to use. It appears that they removed an original tweet to warn users.
July 17th, 2024 4:23:00 AM MDT Protocol Fully Operational LiFi sends an update tweet to notify users that their protocol is now fully operational again. They are continuing efforts to trace and return funds.

Technical Details

"As Nick L. Franklin pointed out that the attack was due to a lack of validation in the "swap" function of the new contract facet added to the protocol.

The vulnerable contract failed to properly check the call target and call data, allowing an exploiter to perform a "call injection" attack.

This enabled the attacker to execute arbitrary functions using the permissions granted to the LiFi contract.

Because of this, users who approved the contract for infinite approvals lost their tokens."

Total Amount Lost

The total amount lost has been estimated at $9,730,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Please do not interact with any http://LI.FI powered applications for now! We're investigating a potential exploit. If you did not set infinite approval, you are not at risk. Only users that have manually set infinite approvals seem to be affected."

Ultimate Outcome

"The protocol is fully operational again.

Bridging and swapping on most of our partner protocols have resumed."


Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

"We continue to engage with law enforcement authorities and industry participants to trace and recover funds."

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - LiFi/Jumper - Rekt (Accessed Jul 17, 2024)
  2. LI.FI - Bridge & DEX Aggregation Protocol (Accessed Jul 17, 2024)
  3. @lifiprotocol Twitter (Accessed Jul 17, 2024)
  4. @lifiprotocol Twitter (Accessed Jul 17, 2024)
  5. @lifiprotocol Twitter (Accessed Jul 17, 2024)
  6. @JumperExchange Twitter (Accessed Jul 17, 2024)
  7. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  8. @0xNickLFranklin Twitter (Accessed Jul 17, 2024)
  9. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  10. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  11. @pcaversaccio Twitter (Accessed Jul 17, 2024)
  12. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  13. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  14. @JumperExchange Twitter (Accessed Jul 17, 2024)
  15. @CertiKAlert Twitter (Accessed Jul 17, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=LiFi_Protocol_Infinite_Approval_Facet_Swap_Exploit&oldid=6148"