Li Finance, a swap aggregator, has experienced smart contract exploitation that made their customers lose almost US 600,000 dollars from a total of 29 wallets. The exploit happened on Sunday at UTC 2:51 am when the attacker was able to extract 10 different types of tokens from the wallets that had already given infinite access to the Li Finance protocol.
The name of the stolen tokens is Tether (USDT), Rocket Pool (RPL), Jarvis Reward Token (JRT), DAI (DAI), Gnosis (GNO), Polygon (MATIC), AAVE (AAVE), USD Coin (USDC), Metaverse Index (MVI) and Audius (AUDIO).
After 12 hours had passed, the team came to know about the hack at 2:15 pm UTC and to prevent further losses, they had stopped all the swapping functions. On Monday at 2:50 am UTC, the Li Finance team released a detailed report on the vents of the exploitation. The team explained that the hacker had swapped the tokens for a total of 205 Ether (ETH) which is roughly equivalent to US 600,000 dollars. Although the ETH is yet to be moved from the wallet of the attacker, Li FInance has assured the users that the bug has been taken care of after identification.
25 out of 29 wallet owners have been reimbursed from the company treasury fund because of their losses. These 25 wallets had a total of US 80000 dollars which is 13 percent of the total stolen fund. The remaining 4 users that had US 517000 dollars in their wallets were contacted and offered a deal to honour their losses. They will be compensated and regarded as angel investors of the company.
The 4 owners would receive LiFi company tokens under the same condition as any other angel investors who will amount equal to the loss they have incurred. This can also help the company mitigate the loss of company from their treasury. The attacker has also been contacted because of the hack and simultaneously offered a bounty to return the money.
The attack occurred at the wrong time because, according to the company CEO, Philipp Zentner, they were a week away from conducting an audit, and multiple companies are auditing Li Finance.
This latest attack in the DeFi sector showed us how infinite approval in smart contracts could bring harm to the user’s funds and bring an enormous amount of risk to the wallet. The infinite approval option provides users with the opportunity to swap their tokens infinitely without needing any approval for more transactions.
