Swap faucet Li Finance discovered smart contract abuse resulting in the loss of about $600,000 from 29 users’ wallets.
The exploitation occurred at 02:51 UTC on Sunday. The attacker was able to extract varying amounts of 10 different tokens from wallets that gave “unrestricted consent” to the Li Finance protocol. Among the stolen coins: US Dollar (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward. Token (JRT) and DAI (DAI).
When the team became aware of the operation 12 hours later at 14:15 UTC, they disabled all exchange features on the platform to prevent further losses.
At 05:50 UTC on Monday, the team published an autopsy describing incidents related to the vulnerability. The team reported that the attacker exchanged the stolen tokens for a total amount of approx. 205 ethers (ETH), worth approx. $600,000. At the time of writing, the stolen ETH has not been transferred from the attacker’s wallet. LiFi also assured users that the bug has been found and fixed.
Of the 29 wallets affected by this attack, 25 were compensated by the Ministry of Finance for their losses. Those 25 wallets represent only $80,000, or 13% of the total lost value. The owners of the remaining four portfolios, who lost a total of $517,000, were contacted and offered a deal to make up for them by recovering their losses as business angels on the minutes.
They will receive LiFi tokens on the same terms as other angel investors, in an amount equal to their loss from each wallet. This should also help reduce platform storage corruption.
The hacker was also contacted and offered the wrong reward for a refund.
The Li Finance team contacted to offer the hacker a surcharge for the mistake.
Looks like the attack happened at the wrong time. “We’re literally a week away from our audit,” Li Finance CEO Philip Zenner told Cointelegraph on Monday, adding: “We have several companies doing our audits.”
According to Transmissions11 researcher at crypto investment company Paradigm, even a thorough review of the code might not have uncovered this particular bug. On Monday, he explained in a tweet that the bug in Li Finance’s code was easy to miss and is “accurate if you don’t have the right mindset.”
Related: ‘Bad Luck’: Agave and 100 Financial Dispute Protocols Exploited for $11M
This latest breakthrough in the decentralized finance sector shows how the endless assertions of smart contracts open user funds to more risk. Infinite confirmations allow users to exchange currency on a decentralized exchange an unlimited number of times without having to agree to other transactions.