More than $11m lost in Li.Fi security breach

https://img.inleo.io/DQmeSdsyL2nR3wVgCKWwYjJdR5qM1He4Eh1rWGmvMr3ahpj/1000176751.webp

Introduction

Li.Fi, a popular cross-chain liquidity provider recently announced that a breach of its protocol has happened. Attackers took advantage of a code weakness in a brand new contract deployed to gain access into some wallets. The attack resulted in the stealing of funds from the affected non-custodial wallets. The team from Li.Fi has reported that the funds lost in total from the breach is in excess of $11m.

The Protocol discovered the breach on 16th of July and immediately warned users to discontinue any interactions with its smart contracts until the attack has been contained. This announcement and warning was made in Li.Fi X account immediately the attack was discovered as you can see below:

Please do not interact with any LI.FI powered applications for now! We're investigating a potential exploit. If you did not set infinite approval, you are not at risk. Only users that have manually set infinite approvals seem to be affected. source

Further updates provided later on the official X channel showed that the attack has been contained. Users were advised to resume interactions with the Li.Fi protocol as the smart contract vulnerability has been identified and disabled in order to prevent further losses from this breach.

The breach - and moving forward

Li.Fi did a smart contract upgrade recently and noticed the breach immediately the new contract was deployed. The security team moved in within hours to identify and contain the threat. Although a significant amount of tokens was lost to the attack, not all users on the platform were affected. The breach affected main users that connected to the protocol using their non-custodial wallet. Of this number, those that set up their wallet to allow endless auto approval of contracts were affected. Li.Fi security team advised all to revoke any pending contracts to their protocol pending when the threat was contained. They later announced that everything was fine.

After the security issue was fixed, Li.Fi alerted users to the current situation and informed them to resume operation on the platform. Besides, the team has engaged the services of several blockchain security experts to help them completely identify the loophole and make sure the protocol does not face further attacks like this one. The local police and other agents of law enforcement have been advised regarding the breach and are working together with the Li.Fi team to identify the criminals and possibly recover the lost funds.

The affected users whose wallets have been drained are advised not to panic as the Li.Fi team have come up with a plan to settle the losses. A form has been provided by the team on X for affected users to fill their details and wait to be contacted by the team. Those who wish to have their wallets refunded are invited to participate in the program. Once they fill the from provided, a representative from the Li.Fi team will reach out to them. The protocol has promised that the entire funds stolen from this security breach would be completely accounted for through this compensation program.

After a major security breach like this one, it is all too common for users to have doubts about the platform. There might even be a panic withdrawal of funds because of fear of more attacks. For this one, the protocol is giving assurances than user funds are secure and that this happened majorly because of human error. Here is what they have to say regarding security:

LI.FI is strongly committed to the safety and security of our protocol and user assets. In addition to our existing multi-step deployment review process, there are multiple additional security policies and measures in place including source

As at the time of writing, Li.Fi has completely contained the threat. The protocol has resumed full functioning with all its features restored. At the background, users affected are already in contact with the recovery team to determine how to receive their compensation.

Take security personal

Attackers have successfully targeted smart contract vulnerabilities in the defi space. The number of these attacks have raisen sharply since recently. Unfortunately, most of the attacks resulted in some asset loss for users. So it is important to always take security as important as the assets in your non-custodial wallets. While smart contract attacks can affect everyone, you can take steps to make your assets safer.

One thing to do is to use use 2-factor authentication for all your wallets. Having this extra layer of protection would ensure that your wallets are not easily accessed from a single point. It also gives attackers a hard time trying to beat two or more security layers than just one.

Hardware wallets are often recommended in the defi space than soft wallets. In addition to all the security of soft wallets, a hardware wallet has extra layers of security such as the active key which is often stored offline. Staying offline most of the time, a hardware wallet and its login details are thus safer from all the vulnerabilities in the internet world.

Finally

Its better to spread your assets. If everything is kept in one bag, a breach like this one would make the loss almost unbearable. Everything could be stolen in an instant. But keeping assets safe in one or more wallets is a way to protect digital assets.

Note: thumbnail is from pixabay

Posted Using InLeo Alpha