LiFi Protocol exploited for $10 million, warns users to avoid platform News ▸ Hacks LiFi Protocol exploited for $10 million, warns users to avoid platform with insights from 
Peckshield
Available information suggests that the same vulnerability was exploited on the DeFi protocol two years ago.
Oluwapelumi ejumo Jul. 16, 2024 at 5:00 pm UTC 2 min read
Updated: Jul. 16, 2024 at 4:40 pm UTC X Telegram LinkedIn Email 
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
LiFi Protocol, an asset swap and bridge platform compatible with Solana and EVM chains, has been exploited for about $10 million.
The DeFi platform acknowledged the breach but did not reveal the exact amount lost. It urged community members to avoid interacting with its system.
It wrote:
Please do not interact with any LIFI powered applications for now! Were investigating a potential exploit. If you did not set infinite approval, you are not at risk. Only users that have manually set infinite approvals seem to be affected.
$10 million drained
On July 16, Cyvers Alert, a web3 security platform, reported suspicious transactions involving a LiFi smart contract.
The platform revealed that these transactions led to losses of about $10 million in user assets—including $6.3 million in USDT, $3.1 million in USDC, and around $170,000 in DAI stablecoin—across various blockchain networks, including the Ethereum layer-2 network Arbitrum.
Blockchain analyst Lookonchain reported that the stolen stablecoins have been exchanged for 2,857 ETH, equivalent to $9.7 million, and distributed to several wallets.
Meir Dolev, co-founder and chief technology officer at Cyvers, told CryptoSlate:
The incident highlights the dangers of giving wallet approvals to smart contracts. Its crucial for protocols to stay alert, as hackers can take advantage of these approvals to steal both assets in the contracts and funds in users connected wallets.
Another Blockchain security firm, Blockaid, explained that the root of the attack was exploiting the platforms proxy implementation. It added:
The attackers have managed to exploit a vulnerability in the proxy implementation, where an attacker is able to inject function call to the contract an ability theyve then used to inject transferFrom calls on approved users.
Notably, blockchain security firm Peckshield pointed out that the Li.Fi platform suffered a similar attack in March 2022. At that time, Li.Fi said the attacker exploited its smart contract through a swapping feature that calls token contracts directly instead of performing actual swaps.
Meanwhile, the attack has led to the spreading of several phishing scam links on social media, urging users to revoke their access to the platform via suspicious links.