Lack of whitelisting of calls, use of infinite approval
Li Finance is the ultimate cross-chain liquidity aggregator, aggregating cross-chain liquidity networks (Connext, Hop, Thor, Anyswap...), connecting them to DEXes, calculating you the best cross-chain swaps.
On March 20th, 2022, an attacker exploited LI.FI’s smart contract, specifically our swapping feature which allows us to perform swaps before bridging. Instead of actually swapping, they were able to call token contracts directly in the context of our contract.
As a result of the exploit, anyone who gave infinite approval to our contract was vulnerable. As soon as the team had been notified of the exploit, we disabled all of the swap methods in our smart contract and started working on a fix to ensure they are safe to use and that something like this does not happen again.
The hack took advantage of our pre-bridge swap feature. Our smart contract allows a caller to pass an array of multiple swaps using any address with arbitrary calldata.
$600K have been stolen from 29 wallets. The bug has been fixed and is already deployed. 25/29 wallets have been reimbursed immediately — the rest we want to offer something special (alternatively normal reimbursement). The team has already reached out to them via Twitter and transactions.
DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.