Defi Protocol LI.FI Struck by $11M Exploit

• LI.FI spokesman confirms smart contract exploit that resulted in $11M hack.
• Project officials are engaging with law enforcement, advise customers against interacting with LI.FI-powered applications for now.
• LI.FI is a protocol that allows users to trade across various blockchains, venues and bridges.

Decentralized finance (DeFi) platform LI.FI protocol has been hit by a roughly $11 million exploit following a series of suspicious withdrawals, on-chain data shows.

"Please do not interact with any LI.FI powered applications for now." LI.FI wrote on X. "We're investigating a potential exploit. If you did not set infinite approval, you are not at risk."

LI.FI is a protocol that allows users to trade across various blockchains, venues and bridges. It suffered a bug with its swapping feature in 2022, resulting in a $600,000 loss, PeckShield described the recent bug as "basically the same."

Initially the amount was tallied at $8 million, but project officials now estimate the total damage from the hack to be about $11 million.

"A smart contract exploit earlier today has been contained and the affected smart contract facet disabled," according to a statement emailed by a spokesman for the project. "There is currently no further risk to users. The only wallets affected were set to infinite approvals, and represented only a very small number of users."

The statement went on: "We are engaging with appropriate law enforcement authorities and relevant third parties, including security teams from the industry, to trace funds. We will issue a more detailed post-mortem as soon as possible."

Crypto security firm Decurity said that the exploit involves the LI.FI bridge.

"The root cause is a possibility of an arbitrary call with user controlled data via `depositToGasZipERC20()` in GasZipFacet which was deployed 5 days ago," Decurity wrote on X .

A report by Immunefi in May revealed that $473 million worth of crypto was lost to hacks, exploits and rug pulls in the first half of 2024.

UPDATE (July 16, 13:48 UTC): Adds link to 2022 exploit that resulted in a $600,000 loss.

UPDATE (July 16, 19:41 UTC): Adds statement from spokesman including updating the size of the hack to $11 million from an earlier reported $8 million.