Key Takeaways
- Li.fi protocol exploit has drained nearly $10 million, affecting users with infinite approvals.
- Experts suspect a call injection attack, urging users to revoke approvals immediately.
Interoperability protocol Li.fi cautioned users not to interact with any applications using their infrastructure, as they are investigating a possible exploit underway. Only users that have manually set infinite approvals seem to be affected.
“Revoke all approvals for:
0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
0x341e94069f53234fE6DabeF707aD424830525715
0xDE1E598b81620773454588B85D6b5D4eEC32573e
0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68”
Please do not interact with any https://t.co/nlZEnqOyQz powered applications for now! We’re investigating a potential exploit. If you did not set infinite approval, you are not at risk.
Only users that have manually set infinite approvals seem to be affected.
Revoke all…
— LI.FI (@lifiprotocol) July 16, 2024
The first report of a possible exploit was given by the user identified on X as Sudo, who highlighted that nearly $10 million was drained from the protocol. Another X user identified as Wazz pointed out that Web3 wallet Rabby implemented Li.fi as its inbuilt bridge, warning users to check their permissions and revoke them. Notably, the Jumper Exchange is also a well-known application that uses Li.fi services.
Moreover, after blockchain security company CertiK shared on X the ongoing exploit, the user identified as Nick L. Franklin claimed that this is likely a “call injection” attack. A call injection attack consists of inserting a function name parameter from the original code on the client side of the application to execute any legitimate function from the code.
“Oh, call injection! Long time no seen. “swap” function didn’t check call target and call data. Because of this, users who approved to 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae lost their tokens, revoke approval asap! Also, Lifi router set this implementation recently,” said Nick.
According to the blockchain security firm PeckShield, the same hack was used against Li.fi back in March 2022. March 20, 2022. “Are we learning anything from the past lesson(s)?”, stated PeckShield.