LiFi Protocol Infinite Approval Swap Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

LiFi Protocol Logo/Homepage

LiFi Protocol is a decentralized swap/bridge aggregation service which assists with swapping assets from one asset to another. The contract was deployed without a restriction on the bridges which could be used, which allowed smart contracts that transfered assets to be specified in the swapping function. Users who had granted infinite approvals for any assets were at risk for those assets being drained. $570k was drained from 29 different accounts in a single transaction. The amounts were ultimately reimbursed by the protocol. It doesn't appear that the individual responsible for the attack returned any funds or was ever apprehended.[1][2][3][4][5][6][7]

About LiFi Protocol

"Swap & Bridge Liquidity Across 20+ Chains" "Best price execution for any swap/bridge. One API to swap, bridge, and zap across all major blockchains and protocols. Enable trading across all DEX aggregators, bridges, and intent-systems and save hundreds of developer hours."

"Go to market faster. No integration and maintenance overhead. Benefit from risk mitigation, fail safety and neatless interoperability by a vast amount of underlying protocols (e.g. DEX aggregators & bridges), which LI.FI aggregates."

"Frequent audits, pentests and enterprise-grade security controls. We work intensively with the most trusted organizations in the space to create risk-assessment frameworks and risk-mitigation measures."

"It takes constant research, integration, monitoring and maintenance overhead. A unified data handling allows consistent analytics, debugging and customer support capabilities. You get all of that out of the box."

"Flexible fee structures allow the collection and distribution of fees amongst partners. Automatic fee conversions (depending on which currency the fees were taken in) are included."

"The two founders, Philipp and Max, have already been building companies together for 10 years. With a growing team of 40+ people, we’re obsessed with DeFi infrastructure and aggregating and optimizing the most important parts of it to accelerate the widespread adoption of crypto."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"On March 20th, 2022, an attacker exploited LI.FI’s smart contract, specifically our swapping feature which allows us to perform swaps before bridging. Instead of actually swapping, they were able to call token contracts directly in the context of our contract."

Key Event Timeline - LiFi Protocol Infinite Approval Swap Exploit
Date Event Description
March 19th, 2022 8:51:00 PM MDT Exploit Transaction The transaction which exploits the smart contract.
March 20th, 2022 8:05:00 AM MDT Swapping Lock Tweet The LiFi protocol announces that they have now locked down all swap methods until they can be verified as safe to use.
March 20th, 2022 9:39:42 AM MDT Exploiter Reach Out The LiFi team reaches out to the exploiter, offering anonymity and a potential bounty for their cooperation.
March 20th, 2022 5:42:00 PM MDT All Users Reimbursed An update from LiFi team indicates that all 29 affected users have been fully reimbursed.
March 20th, 2022 8:49:00 PM MDT PostMortem Released The LiFi team releases a post-mortem with more details about the exploit.

Technical Details

"The hack took advantage of our pre-bridge swap feature. Our smart contract allows a caller to pass an array of multiple swaps using any address with arbitrary calldata.

This design gave us maximum flexibility in what DEXs we could call and what methods we could call. This also allowed anyone to call other contracts, not just DEXs. Our contract checks to make sure that the result of the swap or swaps is enough tokens to continue the bridging operation.

The attacker started by passing a legitimate swap of a small amount followed by multiple calls directly to various token contracts. Specifically, they called the `transferFrom` method which allowed the attacker to transfer funds from users’ wallets that had previously given infinite approval to our contract for that specific token."

Total Amount Lost

"The exploit was done in one transaction, done at 02:51 AM +UTC, through which the attacker managed to steal around $600k (current value $587,500 or 205 ETH) from 29 wallets. The attacker took various tokens from users’ wallets, based on which token contracts users had given infinite approvals. The tokens in question were USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI."

The total amount lost has been estimated at $570,000 USD.

Immediate Reactions

"As a result of the exploit, anyone who gave infinite approval to our contract was vulnerable. As soon as the team had been notified of the exploit, we disabled all of the swap methods in our smart contract and started working on a fix to ensure they are safe to use and that something like this does not happen again.

Aside from that, we have promptly alerted the community of the exploit via Twitter and informed our partners and investors. We thank everyone for their support."

Ultimate Outcome

"This exploit has provided another example of why security must be of utmost importance. As builders in the space, it is our responsibility to ensure that users’ funds are safe above else. Our users can rest assured that the audit is happening and LI.FI is safe to use. Going through this experience, we have also been given an opportunity to drive more attention to the security risks still faced in the space. Our research team will focus even more on the security aspects to make LI.FI the most secure and reliable tool for cross-chain interoperability."

"After the exploit, the attacker swapped all of the tokens into ETH, and since then, they are still in the hacker’s wallet."

"LI.FI exploiter, We appreciate you pointing out the vulnerability in our contracts. We would like to discuss returning user funds and a potential bounty: tech@li.finance"

Total Amount Recovered

The total amount recovered has been estimated at $570,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - LiFi/Jumper - Rekt (Accessed Jul 17, 2024)
  2. LI.FI Smart Contract Vulnerability Post Mortem | by Zord4n | LI.FI Blog (Accessed Jul 17, 2024)
  3. LI.FI - Bridge & DEX Aggregation Protocol (Accessed Jul 17, 2024)
  4. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  5. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jul 17, 2024)
  6. @lifiprotocol Twitter (Accessed Jul 17, 2024)
  7. @lifiprotocol Twitter (Accessed Jul 17, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=LiFi_Protocol_Infinite_Approval_Swap_Exploit&oldid=6147"