{"id":419228,"date":"2022-03-21T08:56:38","date_gmt":"2022-03-21T05:56:38","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/li-finance-protocol-loses-600000-in-latest-defi-exploit\/"},"modified":"2022-03-21T08:56:38","modified_gmt":"2022-03-21T05:56:38","slug":"li-finance-protocol-loses-600000-in-latest-defi-exploit","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/li-finance-protocol-loses-600000-in-latest-defi-exploit\/","title":{"rendered":"# Li Finance protocol loses $600,000 in latest DeFi exploit"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a26231f889b3\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a26231f889b3\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/li-finance-protocol-loses-600000-in-latest-defi-exploit\/#%E2%80%9D_Li_Finance_protocol_loses_600000_in_latest_DeFi_exploit_%E2%80%9C\" >&#8221; Li Finance protocol loses $600,000 in latest DeFi exploit &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_Li_Finance_protocol_loses_600000_in_latest_DeFi_exploit_%E2%80%9C\"><\/span>&#8221; Li Finance protocol loses $600,000 in latest DeFi exploit &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div class=\"post-content\" data-v-128018ef>The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users\u2019 wallets.<\/p>\n<p>The exploit took place at 2:51 am UTC on March 20. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given \u201cinfinite <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>roval\u201d to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT), and DAI (DAI).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">TLDR:<\/p>\n<p>\u2022 ~$600K have been stolen from 29 wallets<br \/>\u2022 User don\u2019t have to do anything<br \/>\u2022 Bug has been fixed and is already deployed<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/fqOxJxDrZs\">https:\/\/t.co\/fqOxJxDrZs<\/a><\/p>\n<p>\u2014 LI.FI &#8211; Any-2-Any Swaps (,) (@lifiprotocol) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/lifiprotocol\/status\/1505738407938387971?ref_src=twsrc%5Etfw\">March 21, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\nWhen the team <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/lifiprotocol\/status\/1505545992183111681\">learned<\/a> about the exploit 12 hours later at 2:15 pm UTC, it shut down all swapping functions on the platform in order to prevent any further losses. <\/p>\n<p>By 2:50 am UTC on March 21, the team had issued a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/blog.li.finance\/20th-march-the-exploit-e9e1c5c03eb9\">post mortem<\/a> detailing the events of the exploit. The team said that the attacker swapped the stolen tokens for a total of about 205 Ether (ETH) valued at roughly $600,000. At the time of writing, the stolen ETH had yet to be moved from the attacker\u2019s <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0x878099f08131a18fab6bb0b4cfc6b6dae54b177e#tokentxns\">wallet<\/a>. LiFi also assured users that the bug has been identified and patched.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Today\u2019s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/NA3xW7ReUd\">pic.twitter.com\/NA3xW7ReUd<\/a><\/p>\n<p>\u2014 Daniel Von Fange (@danielvf) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/danielvf\/status\/1505689981385334784?ref_src=twsrc%5Etfw\">March 20, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Of the 29 wallets that were hit in this attack, 25 have been reimbursed from treasury funds for their losses. Those 25 wallets only accounted for $80,000, or 13% of the total value lost. The owners of the remaining four wallets that lost a combined $517,000 have been contacted and offered a deal to compensate them by honoring their losses as angel investors in the protocol. <\/p>\n<p>They would receive LiFi tokens under the same terms as other angel investors in an amount equal to their losses from each wallet. This would also help to mitigate the damage to the platform\u2019s treasury. <\/p>\n<p>The hacker was also <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0xa055c1e29bfb3a71e752e2ef8dc5bf348f59d97884bb704abbf88b557139f790\">contacted<\/a> and offered a bug bounty to return the funds.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-03\/9c9be7b0-c4f8-4e51-82cf-b6f75de54001.png\"><figcaption style=\"text-align: center;\">The Li Finance team reached out to offer a bug bounty to a hacker.<\/figcaption><\/figure>\n<p>The attack appears to have come at an unfortunate time. Li Finance CEO Philipp Zentner told Cointelegraph on March 21 that \u201cWe\u2019re literally a week away from our audit,\u201d adding that \u201cwe have multiple companies auditing us.\u201d<\/p>\n<p>However, even a thorough audit of the code may not have picked up this particular bug, according to a researcher \u201cTransmissions11\u201d at crypto investment firm Paradigm. He explained in a March 21 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/transmissions11\/status\/1505692467261173760\">tweet<\/a> that the error in Li Finance\u2019s code is easy to miss and \u201csubtle if you\u2019re not in the right mindset.\u201d<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-03\/0b5ac9a0-bef2-448a-8c35-62dedb31d816.PNG\"><\/figure>\n<p><strong><em>Related: <\/em><\/strong><strong><em>\u2018Unlucky:\u2019 Agave and Hundred Finance DeFi protocols exploited for $11M<\/em><\/strong><\/p>\n<p>This latest hack in the decentralized finance (DeFi) sector demonstrates how giving infinite approvals to smart contracts opens a user\u2019s funds to a greater amount of risk. Infinite approvals allow users to swap coins at a decentralized exchange (DEX) an unlimited amount of times without needing to approve any more transactions.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/li-finance-protocol-loses-600-000-in-latest-defi-exploit\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; Li Finance protocol loses $600,000 in latest DeFi exploit &#8220; The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users\u2019 wallets. The exploit took place at 2:51 am UTC on March 20. The attacker was able to extract varying amounts of 10 different&#8230;<\/p>\n","protected":false},"author":1,"featured_media":419229,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDMvODY5MWUwODMtYzI3NC00YmJhLWI3OTMtNjRjODc0YzI5ZTk5LmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74868,75916,74882,72287],"class_list":["post-419228","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-defi","tag-dex","tag-hacks","tag-security"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/419228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=419228"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/419228\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/419229"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=419228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=419228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=419228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}