LI.FI Bridge Hacked with Estimated Losses of $10 Million

LI.FI Bridge Suffers Major Security Breach

On the evening of July 16, the DeFi community on social media platform X was abuzz with news of the LI.FI bridge being exploited.
The information was shared by white hat hacker sudo in his latest post. The compromised smart contract address is "0x123...eae", known to be LI.FI's routing contract that aggregates liquidity across multiple bridges.
Lifi Finance getting drained while we speak (almost ~10m so far). Looks like a router approval exploit (to be confirmed).https://t.co/iO8P27mPyX
— sudo rm -rf --no-preserve-root / (@pcaversaccio) July 16, 2024
Estimated Loss and Immediate Response
As of the time of writing, the estimated loss is around $10 million.
LI.FI quickly confirmed the incident to its users and identified three additional contract addresses that need to be revoked to prevent further losses.
Please do not interact with any https://t.co/nlZEnqOyQz powered applications for now!
— LI.FI (@lifiprotocol) July 16, 2024
We're investigating a potential exploit. If you did not set infinite approval, you are not at risk.
Only users that have manually set infinite approvals seem to be affected.
Revoke all…
The breach has also impacted the DEX Jumper Exchange, which urged its users to revoke permissions for the compromised LI.FI contract addresses.
Please do not interact with our platform right now!
— Jumper (@JumperExchange) July 16, 2024
We're investigating a potential exploit.
If you did not set infinite approval, you are not at risk.
Only users that have manually set infinite approvals seem to be affected.
Revoke all approvals for:…
Background on LI.FI
LI.FI is a bridge project that aggregates liquidity and optimizes exchange rates across various chains. The project is currently developing an Intent-Based mechanism and integrating Chain Abstraction to simplify user experience.
This is not the first time LI.FI has faced security issues. In 2022, the bridge was also targeted by hackers, resulting in losses of approximately $600,000. According to security firm PeckShield, the vulnerabilities exploited in both incidents are fundamentally similar.
While analyzing today's @lifiprotocol hack, we notice an earlier hack on the same protocol on March 20, 2022.
— PeckShield Inc. (@peckshield) July 16, 2024
The bug is basically the same. https://t.co/YcuEe4efOT
Are we learning anything from the past lesson(s)? https://t.co/nV4IuX7T7j pic.twitter.com/aVB6FQ3MnT