The LI cross-chain protocol command.FI shared details of the hack, as a result of which users lost $11.6 million in USDC, USDT and DAI stablecoins.
Post-mortem and next steps for @lifiprotocol partners and community:https://t.co/H4EEiLAHEc pic.twitter.com/TZmx0VtLxo
— LI.FI (@lifiprotocol) July 18, 2024According to the statement, the exploit occurred shortly after the deployment of a new aspect of the smart contract.
"The vulnerability arose due to the fact that the calling parties to the contract could make arbitrary calls without verification. This feature was provided by the LibSwap library, which facilitates interaction with multiple DEX, payment collectors and other entities before connecting or sending funds," the statement said.
Due to an "individual human error", the contract lacked verification of approved addresses and whitelisted functions, the developers explained.
The attack occurred on the Ethereum and Arbitrum networks, affecting 153 wallets. Only users with permanent approval enabled, which is not the default setting in the API, SDK, and LI widget, are affected.FI, the team stressed.
"Our top priority is to restore users' assets. We continue to work with law enforcement agencies and relevant third parties, including industry security specialists, to track down and recover stolen funds," the developers said.
The project assesses the possibility of paying full compensation to the victims "as soon as possible."
Recall that on July 18, the Indian crypto exchange WazirX lost $235 million in digital assets as a result of hacking. Elliptic experts concluded that North Korean hackers were behind the attack.