According to Cyvers, their system flagged suspicious transactions on Li.Fi involving a specific contract address.
Cyvers recommended users revoke approvals for the suspicious address: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
Meir Dolev, co-founder and CTO at Cyvers, emphasized the need for constant vigilance from protocols:
“Hackers can exploit these approvals to drain assets stored in the contract as well as funds in connected user wallets.”
🚨ALERT🚨@lifiprotocol, Our system has raised suspicious transactions involving your https://t.co/3LzbDK99Ed
We recommend users to revoke their approvals for: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
More than $8M have been drained so far from users and mostly stablecoins!… pic.twitter.com/zsj9DZWnpU
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 16, 2024
Li.Fi Alert
In a post on X on July 16, Li.Fi warned users not to interact with applications powered by Li.Fi until further notice. During the ongoing attack, the team explained they were investigating the vulnerability and clarified that users without “infinite approvals” would not be at risk.
For users who had set up infinite approvals, the Li.Fi team advised revoking the following addresses:
- 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
- 0x341e94069f53234fE6DabeF707aD424830525715
- 0xDE1E598b81620773454588B85D6b5D4eEC32573e
- 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68
At 11:44 AM ET (15:44 UTC), Li.Fi updated its users via a post on X stating that the smart contract vulnerability had been mitigated. “There is no further risk to users at this time,” the post read. “Only wallets with infinite approvals were affected, representing a very small number of users.”
Please do not interact with any https://t.co/nlZEnqOyQz powered applications for now!
We’re investigating a potential exploit. If you did not set infinite approval, you are not at risk.
Only users that have manually set infinite approvals seem to be affected.
Revoke all…
— LI.FI (@lifiprotocol) July 16, 2024
$10 Million Drained
According to Cyvers, approximately $10 million in cryptocurrency was drained, also affecting the Arbitrum blockchain. Dolev remarked, “This incident underscores the inherent risks in granting wallet permissions to smart contracts.”
In an update post on X, Cyvers once again urged users to revoke the address 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae to prevent further losses.
From Drains to Flash Loan Attacks
The decentralized finance protocol Dough Finance was recently attacked on July 12, falling victim to a $1.8 million flash loan attack. Cyvers reported on the incident, explaining that the attacker financed the exploit through the zero-knowledge protocol Railgun and swapped the stolen USD Coin.
According to Web3 security provider Olympix, the vulnerability accumulated 608 ETH, valued at approximately $1.8 million, originating from unverified call data with “ConnectorDeleverageParaswap.”
