- Blockbasis
- Posts
- LiFi Protocol & Jumper Exchange: The $9.73M DeFi Breach Unveiled
LiFi Protocol & Jumper Exchange: The $9.73M DeFi Breach Unveiled
LiFi Protocol & Jumper Exchange: Analyzing the $9.73M Cross-Chain DeFi Exploit and Lessons in Security Hygiene - Detailed Insights into Vulnerabilities, Protocol Upgrades, and the Risks of Infinite Approvals in Cryptocurrency Contracts
Blockbasis
July 18, 2024
TL;DR
LiFi protocol suffered a $9.73M exploit due to a vulnerability in newly added contract functions, affecting multiple chains. Previous audits did not cover the latest contract facet. The incident highlights risks of infinite approvals in DeFi and underscores the need for rigorous security measures in protocol upgrades and user approvals.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Infinite Approvals: The Ultimate Leap of Faith Strikes Again
The LiFi protocol recently suffered a significant breach, losing $9.73 million to an attack targeting addresses that had previously granted infinite permissions to the protocol's contracts across multiple chains.
The breach was swiftly detected by security firm CertiK, and the LiFi team acknowledged the hack approximately an hour later.
Please do not interact with any powered applications for now!
We're investigating a potential exploit. If you did not set infinite approval, you are not at risk.
Only users that have manually set infinite approvals seem to be affected.
Revoke all… x.com/i/web/status/1…
— LI.FI (@lifiprotocol)
1:41 PM • Jul 16, 2024
Jumper Exchange, which leverages LiFi's services, alerted its users about the exploit but reported no impact on its platform so far.
Both LiFi and Jumper have urged users to verify whether their addresses were compromised and to revoke approvals via revoke.cash.
This incident is particularly alarming as it mirrors a similar exploit that hit LiFi in March 2022, which resulted in a loss of $600,000 from 29 wallets.
The recurrence of this vulnerability raises critical questions about why a known bug was once again present in a live protocol.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
Five Days: A Repeat of History
On July 11th, the LiFi protocol integrated a new contract facet, which harbored a critical vulnerability.
This flaw, as highlighted by Nick L. Franklin, stemmed from the lack of proper validation in the "swap" function of the newly added contract facet.
The contract's failure to properly verify the call target and call data opened the door for an attacker to launch a "call injection" attack.
This allowed the execution of arbitrary functions with the permissions granted to the LiFi contract.
Consequently, users who had approved the contract for infinite approvals saw their tokens drained.
The LiFi router had recently implemented this vulnerable contract, leading to significant losses for its users.
Attacker's address:0x8B3Cb6Bf982798fba233Bca56749e22EEc42DcF3
The affected contract addresses span multiple chains, including:
The stolen funds, including USDT, USDC, and DAI, totaled approximately $9.73 million and were subsequently converted into 2,857 ETH.
These assets have been dispersed across several wallets under the control of the attacker.
As demonstrated by the $3.3 million Socket protocol hack on January 16th, cross-chain bridges and aggregators remain prime targets for cybercriminals.
Does this sound familiar?
The attacker focused on wallets that had given infinite approvals to Socket contracts, exploiting a newly added route to their bridging contract.
Peckshield's analysis of the hack revealed a direct parallel to the previous attack on LiFi:
In the aftermath of the previous exploit, LiFi stated, "We then implemented a whitelist to only allow calls to approved DEXs. Our contract was upgraded to include this new whitelist functionality, and swaps were reenabled. On top of that, we have disabled infinite approvals by default."
LiFi has undergone multiple audits: twice by Spearbit in April 2023 and October 2022, once by Quantstamp in May 2022, and participated in a Code4rena contest in March 2022.
There is no information on whether the most recent contract facet was audited.
This oversight underscores a recurring issue in DeFi: yesterday's patch can become tomorrow's exploit.
With millions at risk, how many more "infinite approvals" will it take before users stop taking such risks with their assets?
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
Infinite Approvals: The Gift that Keeps on Grifting
Despite LiFi's claim that only a very small number of users had set their wallets to infinite approvals, the significant loss indicates a broader issue.
It's difficult to imagine such widespread vulnerability if infinite approvals weren't a common practice.
With nearly $10 million stolen, this incident has been a costly lesson in the importance of approval hygiene for many users.
Without regularly revoking permissions using tools like revoke.cash, approved tokens remain vulnerable to exploitation by active or forgotten projects.
Yet, all of this could have been prevented by avoiding risky, unaudited upgrades to existing protocol contracts.
Infinite approvals for upgradeable contracts should be accompanied by warnings in every wallet interface.
Perhaps it's time to reconsider the use of "infinite" permissions.
Have you reviewed your approvals recently?