The cross-chain DeFi protocol Li.Fi has reported a significant security breach, resulting in the loss of approximately $11 million in cryptocurrencies. This updated loss figure comes after blockchain security firm CertiK initially estimated the damage at nearly $9 million. The hack, which primarily targeted Li.Fi users who had manually adjusted their account settings, has raised concerns about the vulnerabilities associated with cross-chain operations.
Details of the Hack and Immediate Responses On Tuesday, CertiK revealed that a wallet suspected to be linked to the hack held close to $6 million in Ethereum (ETH), along with various stablecoins including USDC, USDT, and DAI. Following the breach, Li.Fi assured its users that the risk had been “contained” and the exploit addressed.
In an effort to mitigate further risks, Li.Fi has directed users to immediately use their specialized revoke website. This step is crucial for users to revoke any potentially compromised permissions. Additionally, the protocol has provided resources such as revoke.cash for permission revocation and scan.li.fi for users to check if their accounts have been compromised.
Technical Insights into the Exploit According to crypto security firm Decurity, the likely cause of the breach was a vulnerability in the Li.Fi bridge, specifically through an arbitrary call that could be made with user-controlled data. This vulnerability was introduced via the depositToGasZipERC20()
function in the GasZipFacet, which was deployed only five days prior to the exploit.
Historical Context and Previous Incidents This is not the first time Li.Fi has faced security issues. In 2022, the protocol experienced a bug in its swapping feature that led to a loss of $600,000 in cryptocurrencies. A detailed post-mortem analysis shared by Li.Fi on Medium highlighted the ongoing challenges faced by DeFi protocols in maintaining robust security measures.
Implications for the DeFi Community
The recent exploit of Li.Fi underscores the critical importance of security in the rapidly evolving DeFi landscape, particularly in cross-chain functionalities. It also highlights the need for continuous vigilance and rapid response mechanisms to address vulnerabilities as they arise.
As the DeFi sector continues to expand, the lessons learned from incidents like the Li.Fi hack are vital for improving security frameworks and ensuring the safety of users’ investments in the blockchain ecosystem.