DEX aggregator Li Finance was attacked, losing $600,000

At 2:51 am on March 20 (UTC time), a protocol vulnerability of the cross-chain DEX aggregator Li Finance was exploited by hackers, resulting in the theft of 29 user wallets and the loss of crypto assets worth approximately US$600,000, including 10 crypto assets such as USDC and MATIC.

After the accident, Li Finance closed all exchange functions. In the early morning of the 21st, the official detailed description of the application showed that hackers took advantage of the loopholes in the Li Finance smart contract, which caused the token contract to be called directly from the smart contract without exchanging assets, resulting in the theft of assets of users of those unlimited authorization contracts.

At present, Li Finance has fixed the vulnerability, and 25 of the 29 affected wallets have received compensation, but the total amount of compensation is only US$80,000. There are still 4 wallets with stolen assets worth US$517,000 that have not been resolved, and it is suggested to turn to "angel investment".

Li Finance disclosed that the attack happened just before the security audit. The accident also reminded DeFi users again that when using DeFi applications, they need to carefully examine the audit status of the application and authorize the application with caution.

Li Finance theft totals $600,000

On March 21, Li Finance officially disclosed the attack process in detail on Medium.

Since Li Finance is a cross-chain DEX aggregator, the application's smart contract allows callers to pass multiple exchange arrays using an address with call data. "This design provides maximum flexibility in terms of which DEXs we can call and what methods can be used to call them. This also allows anyone to call other contracts, not just DEXs."

This design provided a loophole for hackers to exploit - the attacker first passed a small amount of legitimate exchange, and then directly called various token contracts multiple times. "Specifically, they called "transferForm", which allowed the attacker to transfer funds from the user's wallet, which had previously authorized the contract for this specific token indefinitely."

LiFinance publishes an example of an attacker calling a contract

Li Finance said that this type of call "is valid" because these calls are executed in the context of a contract that has the power to transfer a user's assets. The attacker transferred these tokens to a separate wallet under his control. "Once the transfer is completed, the small amount of funds exchanged at the beginning is connected by the bridge and the transaction is completed."

According to Li Finance, in the early morning of March 20, the attacker used the vulnerability to complete a transaction, through which approximately $600,000 worth of crypto assets (worth $587,500 or 205 ETH at the time) were stolen from 29 wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT and DAI. These assets were exchanged by the attacker for 204.7 ETH.

After discovering the vulnerability, Li Finance disabled all contract methods that allowed exchanges and added a whitelist that only allowed external calls to DEXs approved by Li Finance. Most importantly, the application disabled the "unlimited approval" feature.

Plan to convert large damaged wallets into "angel investments"

After fixing the vulnerability, Li Finance claimed that they compensated most of the affected users in less than 18 hours, that is, 25 of the 29 damaged wallets were reimbursed with a compensation value of about US$80,000, while the remaining 4 wallets that were not compensated had a loss of US$517,000.

Regarding the four wallets that suffered large losses, Li Finance proposed, "In order to reduce our financial losses, we are willing to convert the lost funds into angel investment in LI.FI. (Lossing users) As investors, the terms of the current financing round investors will apply." Li Finance also stated that it is ultimately up to the users to decide whether to accept or reject this proposal. They have contacted the four affected wallets that have not yet been compensated based on a transaction on the mainnet and through Twitter.

It is worth noting that the attack happened just before Li Finance was undergoing a security audit. The application implemented its own smart contract a month ago, and "the timing couldn't be worse, as we only had a week left before the audit began."

Li Finance said that they tried to build an intermediate layer between the DeFi infrastructure and application layers, aggregate and abstract a bridge, and connect them to the DEX and aggregators on each chain to facilitate cross-chain transactions. After evaluating and measuring factors such as decentralization, credit assumptions, fees, Gas efficiency, and speed, they used the thresholds and preferences of integrated partners and end users to select the path. "Sadly, this vulnerability exploit came from our own smart contract."

Li Finance’s security incident once again illustrates the importance of DeFi security.

As of March 21, the total value of crypto assets locked in decentralized finance (DeFi) has once again exceeded the $200 billion mark, equivalent to 1/4 of Tesla’s market value. At the end of January, DeFi’s TVL fell to a low of $185.2 billion.

The DeFi market has rebounded, but the security of applied smart contracts remains a major issue threatening the development of the ecosystem.

According to statistics from the BitAnt Data Monitoring Center, seven security incidents have occurred in the DeFi field in February this year alone. Among them, the cross-chain bridge Wormhole was hacked, and the stolen funds were worth more than US$326 million; South Korea's DeFi project KLAYswap was hacked, resulting in a loss of approximately US$1.83 million.

In addition, on February 6, the Meter cross-chain bridge was hacked, resulting in a loss of approximately $4.3 million. Four days later, on February 10, the DeFi application Dego Finance was hacked, and the DEGO liquidity on UniSwap and PancakeSwap was exhausted, with a total loss of approximately $17.62 million on the three chains.

On February 14, the collateral agreement Titano Finance was exploited, and hackers stole approximately 4828.7 BNB, equivalent to approximately $19 million. The next day, the Build Finance project was taken over by malicious governance, and the attacker successfully controlled the Build token contract, minted 1.1 million BUILD tokens and exhausted the project's liquidity pool, making a total profit of 16 ETH, 2001 USDC, 481,405 DAI, and 75,719 NCR, equivalent to approximately $1.12 million.

On February 23, a vulnerability occurred in the DeFi yield protocol Flurry Finance, and hackers exploited funds deployed on the Finance Rabbit strategy.

For users, paying attention to the security audit of applications is still a homework that must be done. In addition, when facing a variety of applications, users must carefully authorize their wallets when using them.