Full Report
LiFi is a DEX aggregation protocol. Recently, they added a new contract to the code. This contract took in input for a swap but allowed the calling of an arbitrary address with arbitrary data without any input validation. Since an attacker controlled the call and data from the context of the contract, it was possible to abuse the approvals on ERC20 contracts with a confused-deputy-like attack. If a user had approvals on this contract, the funds could be stolen by an attacker. By doing this, they netted themselves about 10M. According to the post, the Socket protocol hack earlier in 2024 was likely the same attacker. Such of the same code was used and it was a very similar attack. The most interesting part to me is the timing of this. The contract had only been deployed for a few days and appeared to have NOT received an audit before launch. It's really true that every line of code released should be audited in some capacity. Otherwise, a bug can slip through the cracks.
Analysis Summary
# Incident Report: LiFi Protocol Arbitrary Call Injection
## Executive Summary
On July 16, 2024, the LiFi DEX aggregation protocol was exploited due to a critical vulnerability in a newly deployed contract facet. An attacker leveraged a lack of input validation in a "swap" function to execute arbitrary calls, draining approximately $9.73M from users who had granted "infinite approvals" to the protocol. The incident is a near-repeat of a 2022 exploit against the same protocol, highlighting failures in secure software development lifecycles (SDLC) and patch management.
## Incident Details
- **Discovery Date:** July 16, 2024
- **Incident Date:** July 16, 2024 (Vulnerability introduced July 11, 2024)
- **Affected Organization:** LiFi Protocol / Jumper Exchange
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** July 11, 2024
- **Vector:** Vulnerable Code Deployment
- **Details:** A new contract facet was added to the LiFi protocol. This contract contained a `swap` function that failed to validate call targets and data, creating an arbitrary call primitive.
### Lateral Movement
- **N/A:** The attack was a "confused deputy" exploitation of smart contract permissions rather than traditional network lateral movement. The attacker moved across multiple blockchain networks (Ethereum, zkSync, Linea, Metis) to target the same vulnerability.
### Data Exfiltration/Impact
- **Date/Time:** July 16, 2024
- **Details:** The attacker invoked the vulnerable contract to trigger `transferFrom` calls on various ERC20 tokens (USDC, USDT, DAI) belonging to users who had set infinite approvals for the LiFi contracts.
### Detection & Response
- **Discovery:** Security firm CertiK raised the alarm on X (formerly Twitter) after observing suspicious draining of user wallets.
- **Response actions:** LiFi acknowledged the hack approximately one hour after discovery. They advised all users to revoke approvals immediately via `revoke[.]cash` and disabled the affected routes.
## Attack Methodology
- **Initial Access:** Exploitation of an unvalidated `call` opcode in a recently deployed smart contract.
- **Persistence:** Not applicable; the attack was execution-based.
- **Privilege Escalation:** Confused Deputy attack—the attacker used the contract’s own authority to move funds it was authorized to manage.
- **Defense Evasion:** Use of multiple chains and rapid swapping of stolen assets to ETH and distribution across multiple wallets.
- **Exfiltration:** Transfer of ERC20 tokens to attacker-controlled addresses.
- **Impact:** Financial theft via unauthorized token transfers.
## Impact Assessment
- **Financial:** Total loss of approximately $9.73M (swapped into 2,857 ETH).
- **Data Breach:** None (Public blockchain data only).
- **Operational:** Temporary suspension of bridge/swap routes and emergency contract upgrades.
- **Reputational:** High; this was the second time LiFi suffered an almost identical exploit (previously $600k in 2022).
## Indicators of Compromise
- **Attacker Address:** 0x8B3Cb6Bf982798fba233Bca56749e22EEc42DcF3
- **Affected Contract (EVM):** 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
- **Affected Contract (zkSync):** 0x341e94069f53234fE6DabeF707aD424830525715
- **Behavioral:** Unexpected `transferFrom` events triggered by the LiFi router without a corresponding user-signed swap.
## Response Actions
- **Containment:** LiFi identified and disabled the vulnerable contract facet.
- **Eradication:** Implementation of whitelisting for call targets (though this was reportedly done in 2022 and failed to be applied to the new code).
- **Recovery:** Public communication urging users to revoke permissions to mitigate ongoing risk to stagnant wallets.
## Lessons Learned
- **Regression Testing:** A similar bug occurred in 2022; the failure to include this scenario in automated testing or audit checklists allowed a regression.
- **Audit Gaps:** The new contract facet was reportedly deployed without a prior third-party security audit.
- **Approval Risks:** "Infinite approvals" remain a systemic risk in DeFi, turning a single contract bug into a multi-million dollar catastrophic event for users.
## Recommendations
- **Mandatory Audits:** Implement a strict policy where no code reaches production without a signed-off security audit.
- **Input Whitelisting:** Strictly validate all `call` targets and function selectors against a known-good registry.
- **Minimum Viable Approvals:** Encourage or enforce the use of "permit" (EIP-2612) or exact-amount approvals rather than infinite permissions.
- **Post-Deployment Monitoring:** Use real-time security monitoring (e.g., Forta, Tenderly) to alert on unauthorized `transferFrom` events.