LI.FI loses estimated $9 million in exploit

Cross-chain blockchain protocol LI.FI has been exploited, the team said on the social media platform X. The team is investigating the possible hack, which appears to only affect users who manually set certain features.

"Please do not interact with any LI.FI powered applications for now," the LI.FI team wrote. "We're investigating a potential exploit. If you did not set infinite approval, you are not at risk."

“[W]e urge all users to immediately use our secluded revoke website,” LI.FI wrote, adding that “4 more security breaches have been identified.” 

Security firm Decurity said the “root cause” appears to be “an arbitrary call with user controlled data” to a gas contract deployed five days ago to pay blockchain fees on Ethereum ETH +1.23% .

“The hacker crafted special calldata with transferFrom() calls and passed it as swapData to depositToGasZipERC20 to steal approved tokens from the bridge,” Decurity researchers wrote on X. 

The attack appears to be a version of the “call injection” exploit that allows attackers to use parameters in the original code to execute legitimate, but unexpected transactions. This type of vulnerability reportedly caused hundreds of millions of dollars worth of crypto to be lost.

A wallet containing drained funds controls over $4 million in ETH and nearly $200,000 in DAI stablecoins, according to DeFi World data . However, that amount is likely an understatement, as USDT and USDC stablecoins also appear to be leaving the platform. Security firm Certik estimates the total losses at around $9 million.

Peckshield , another security firm, alleges a similar attack hit LI.FI in 2022.