In a major security breach, the Li.Fi protocol, which supports Ethereum Virtual Machine (EVM) and Solana swaps and bridging, was hacked on July 16, resulting in the loss of over $10 million in cryptocurrencies. The incident has raised significant alarm within the crypto community, highlighting ongoing security vulnerabilities.
Security firm Cyvers detected the breach, noting suspicious transactions involving a specific contract address. Users were advised to revoke their approvals for the compromised address: 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae. Meir Dolev, co-founder and CTO of Cyvers, stressed the importance of vigilance, warning that hackers could exploit these approvals to drain assets from contracts and connected wallets.
In an urgent announcement on X (formerly Twitter), Li.Fi warned users to avoid interacting with its applications until further notice. The team was investigating the exploit and assured users who had not set infinite approval that they were not at risk. For those who had, the team advised revoking approvals for several addresses, including 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae, 0x341e94069f53234fE6DabeF707aD424830525715, 0xDE1E598b81620773454588B85D6b5D4eEC32573e, and 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68. Later that day, Li.Fi announced that the vulnerability had been mitigated and there was no further risk to users. They clarified that only a small number of wallets with infinite approvals were affected.
Approximately $10 million in cryptocurrency holdings were drained, also affecting the Arbitrum blockchain. Dolev highlighted the risks associated with granting wallet approvals to smart contracts. Cyvers reiterated their recommendation for users to revoke the compromised address to prevent further losses.
This incident follows a recent attack on Dough Finance, which suffered a $1.8 million flash loan attack on July 12. The attacker used the zero-knowledge protocol Railgun and swapped stolen USD Coin for Ether (ETH). Web3 security provider Olympix attributed the exploit to unvalidated call data with the “ConnectorDeleverageParaswap,” resulting in a loss of 608 ETH, valued at around $1.8 million. These events underscore the critical need for robust security measures and heightened vigilance in the decentralized finance sector.
Get exclusive insider access to daily market intel reports across web3 –lifetime NFT access.