LI.FI protocol loses $10m in second hack due to same old bug

Cross-chain trading protocol LI.FI has been hit by “a call injection attack,” security platform, Beosin Alert, reported on Tuesday. About $10 million in crypto assets, including 6.3M USDT, 3.2M USDC, and 169k DAI, have been stolen from the protocol. 

Also read: Kraken reveals bug allowed rogue ‘security researchers’ to exploit $3M

LI.FI co-founder Philipp Zentner confirmed the incident on X (formerly Twitter), noting that only users who have manually set “infinite approvals” were affected. “Please do not interact with any LI.FI powered applications for now. We’re investigating a potential exploit,” Zentner wrote. 

LI.FI allegedly hacked via the same old bug

The vulnerability was traced to the “depositToGasZipERC20()” function of LI.FI contract. According to Beosin’s analysis, the function can swap specified tokens for platform tokens and deposit them into the GasZip contract, but it fails to restrict the data for the call invocation, which allows the attacker to withdraw assets from users who have approvals to the contract.

Elsewhere, another security platform Peckshield reported that LI.FI was also exploited two years ago due to the same vulnerability. “While analyzing today’s LI.FI protocol hack, we noticed an earlier hack on the same protocol on March 20, 2022,” Peckshield posted on X. “The bug is basically the same.”

While analyzing today's @lifiprotocol hack, we notice an earlier hack on the same protocol on March 20, 2022.

The bug is basically the same. https://t.co/YcuEe4efOT

Are we learning anything from the past lesson(s)? https://t.co/nV4IuX7T7j pic.twitter.com/aVB6FQ3MnT

— PeckShield Inc. (@peckshield) July 16, 2024

During the 2022 LI.FI protocol hack, about $600,000 in assets were stolen and drained from the protocol, with 29 wallets affected. The team said in a post-mortem report that the bug was fixed, and all the affected users were reimbursed. 

Also read: 2024 sees nearly $1.4 billion in crypto thefts so far

So far, there are no discussions about reimbursing users affected by the latest hack, at least at the time of writing. However, LI.FI posted they are investigating the exploit and advised users not to interact with any LI.FI powered application in the meantime. 

The incident today comes a little over a year after LI.FI raised $17.5 million in a Series A funding round to enable DeFi users to trade across different blockchains, venues, and bridges. It claims to have facilitated over $10 billion in total transfer volume.