Cross-chain bridge protocol LI.FI hacked for $12 million, Parity: Same vulnerability exploited two years ago

A few days ago, news broke that the cross-chain bridge protocol LI.FI fell victim to an exploit, resulting in losses of nearly $12 million. Yesterday, the team released a security incident report, promising full compensation for the affected parties. However, it was discovered that a similar vulnerability had led to $600,000 in losses for users two years ago.

LI.FI Cross-Chain Bridge Hacked for $11.6 Million

The blockchain security team SlowMist reported on Tuesday that they detected a vulnerability in LI.FI that led to over $10 million being drained within an hour, urging users to immediately revoke contract authorizations.

LI.FI at the time requested users to halt interactions with LI.FI-related applications through X, emphasizing that only a few wallets were affected.

The report stated that a total of 153 wallets related to LI.FI lost $11.6 million in USDC, USDT, DAI stablecoins, and other cryptocurrencies during the attack, attributing the responsibility to "team human error during smart contract updates."

The team also stated that they immediately activated a security incident response plan:

Upon detecting the security vulnerability, our team promptly disabled all vulnerable contracts on the chain, mitigating the threat and preventing further unauthorized access.

Inventory of Hacking Incidents in the First Half of 2024: Losses Amount to $1.38 Billion, Double the Same Period Last Year

PeckShield: Attacked by the Same Vulnerability Two Years Ago, Have They Learned Their Lesson?

It is reported that the vulnerability originated from newly deployed smart contracts, with human negligence in the process of verifying transactions allowing attackers to gain unauthorized read access to user wallets within minutes of deploying the new contract.

The report mentioned that LI.FI users bridge funds through the LibSwap library, calling data from multiple decentralized exchanges (DEX) and other DeFi protocols, and verifying approved contract addresses and functions:

However, due to "human supervision negligence" during the new contract deployment process, this step lacked verification and checks.

The cybersecurity company PeckShield pointed out that LI.FI seems to have suffered a similar attack back in 2022, resulting in a $600,000 loss, and now history repeats itself.

Team Urges Victims to Fill Out Forms and Actively Retrieve Funds

In the aftermath, LI.FI emphasized that they are working with law enforcement agencies and web3 security companies to monitor and recover the stolen funds:

Our top priority is to restore user funds and we are also evaluating plans for full compensation to affected users.

The team also urged victims of this incident to fill out a form in the link to confirm compensation arrangements.