LiFi Finance Hack — July 16, 2024
Incident Overview
On July 16, 2024, the DeFi protocol LI.FI was hit by a roughly $11 million exploit following a series of suspicious withdrawals. The total amount stolen is estimated to be around $11.6 million (initial reports cited $9.7M).
Root Cause Analysis
The root cause is a possibility of an arbitrary call with user controlled data via depositToGasZipERC20() in GasZipFacet which was deployed 5 days ago. The function depositToGasZipERC20 in GasZipFacet.sol allowed _swapData to be passed directly to LibSwap.swap, which included a low-level call that can execute arbitrary functions.
The vulnerability arose due to an oversight during the deployment of the new smart contract facet. Callers to the contract were able to make arbitrary calls to any contract without validation. While other facets of the LiFi contract included validation against a whitelist of approved contract addresses and functions, this critical step was missing in the new facet due to a human error.
Attack Details
A vulnerability in this facet allowed the attacker to gain unauthorized access to user self-custodial wallets that had set infinite token approval for the LI.FI contract. The breach impacted 153 wallets across the Ethereum and Arbitrum blockchains, draining assets including USDC, USDT, and DAI.
Post-Mortem Findings
The incident was caused by an individual human error in overseeing the deployment process. Li.Fi had a whitelist of contracts and selector whitelist, but these validations were in the Helpers folder in the SwapperV2 contract and missing in the LibSwap library. The developers imported the wrong contract during development, and the missing audit of the new facet led to the hack.
Notably, LI.FI suffered a bug with its swapping feature in 2022, resulting in a $600,000 loss, and PeckShield described the recent bug as "basically the same".
Sources