QUICK BITE

• LI.FI Protocol hacked; $8 million in user funds stolen, including 1,715 ETH and various stablecoins.
• LI.FI confirms breach; urges users not to interact with its apps amid $8M exploit.

Decentralized finance (DeFi) platform LI.FI protocol has suffered an exploit leading to a series of suspicious withdrawals. Cyvers Alerts reports that over $8 million in user funds have been stolen, with stablecoins making up the bulk of the losses. The hacker’s wallet, according to on-chain data, contains 1,715 Ether (ETH) worth $5.8 million, along with USDC, USDT, and DAI stablecoins.

LI.FI confirmed the breach in a statement on July 16 via X.

“Please do not interact with any http://LI.FI powered applications for now! We’re investigating a potential exploit,” wrote LI.FI on X.  

The team clarified that users who did not configure infinite approval are not at risk, highlighting that only those who manually enabled infinite approvals appear to be affected.

LI.FI, a protocol enabling users to trade across multiple blockchains, venues, and bridges, experienced a bug in its swapping feature in 2022, leading to a $600,000 loss. According to PeckShield, the recent bug is “basically similar.”

Crypto security firm Decurity said that the exploit involves LI.FI bridge.

“The root cause is a possibility of an arbitrary call with user-controlled data via `depositToGasZipERC20()` in GasZipFacet which was deployed 5 days ago,” Decurity wrote on X.

According to a report by Immunefi published in May, the first half of 2024 saw losses of $473 million in cryptocurrency due to hacks, exploits, and rug pulls.