link.png

ID:

li-finance-29

Date:

Status:

Incident Count:

March 20, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

No

info.png

Audit By:

Audits:

None

Loss Amount:

600,000

info.png

Recovered:

-

Rewards:

Currency:

USD, ETH

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Protocol

Dexes

Contract Vulnerabilities

Extended Method:

Lack of whitelisting of calls, use of infinite approval

info.png

Days in Operation:

470

(1.29 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Li Finance is the ultimate cross-chain liquidity aggregator, aggregating cross-chain liquidity networks (Connext, Hop, Thor, Anyswap...), connecting them to DEXes, calculating you the best cross-chain swaps.

On March 20th, 2022, an attacker exploited LI.FI’s smart contract, specifically our swapping feature which allows us to perform swaps before bridging. Instead of actually swapping, they were able to call token contracts directly in the context of our contract.

As a result of the exploit, anyone who gave infinite approval to our contract was vulnerable. As soon as the team had been notified of the exploit, we disabled all of the swap methods in our smart contract and started working on a fix to ensure they are safe to use and that something like this does not happen again.

The hack took advantage of our pre-bridge swap feature. Our smart contract allows a caller to pass an array of multiple swaps using any address with arbitrary calldata.

$600K have been stolen from 29 wallets. The bug has been fixed and is already deployed. 25/29 wallets have been reimbursed immediately — the rest we want to offer something special (alternatively normal reimbursement). The team has already reached out to them via Twitter and transactions.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.