By simply exploiting a flaw in the Li Finance (LiFi) protocol, a hacker stole close to $600,000 . Reprehensible and brilliant at the same time.
Everything is taking place this Sunday, March 20, 2022. About thirty users of the Li Finance smart contract (“smart contract”) had the unpleasant surprise of seeing their wallets emptied. Or rather siphoned off.
This event only reinforces the questions around the security of decentralized systems. Admittedly, no digital protocol is immune to a flaw, and therefore to hacking. However, it is up to each company to take precautions commensurate with the skills of today's hackers .
In this context, the Li Finance teams have shown themselves to be both empathetic towards the injured users and transparent about their responsibility.
- Exploitation of a flaw in the Li Finance protocol
- A risk for all decentralized systems ?
- Mea Culpa and transparency from Li Finance
A Hacker Exploits A Flaw In The Li Finance Protocol
A single and unique transaction allowed a hacker to appropriate the tidy sum of $600,000 .
Hackers have become accustomed to targeting weaknesses in protocols. They then just have to turn them against their designers in order to profit from them. This is exactly what happened with Li Finance's decentralized finance protocol. Far from a Trojan horse or even a virus, the hacker's method was to modify the code of the infinite approval feature .
For users, this famous infinite approval feature has many advantages. But in the mind of the hacker, it represented nothing other than the door to Eldorado . He thus hacked the internal function swap() , which is able to call the address of any digital wallet. It was then possible for him to transfer the smart contract contractForm() , the funds of each person who had previously approved this contract being also transferred. A total of 29 digital wallets were impacted.
These funds were quickly converted into 205 ETH by the hacker , before it evaporated into the wild.
There was thus no direct siphoning off of funds. The hacker focused on transferring the smart contract protocol. The transfer of all the funds linked to this smart contract model was only one consequence. But a consequence foreseen in advance, and revealing a fundamental design error.
A Hacker Risk For All Decentralized Systems?
An existing flaw, yes, but not so easy to spot. To achieve this computer exploit, the hacker had to attack the DeFi protocol itself. He thus worked his way through an infinite transaction approval loop.
Through the swap() functionality, users have the ability to give unlimited approval to their transactions. For them, it's a way to automate them and save time. However, this functionality is only one example among many of the improvement work that remains to be done within decentralized systems.
The latter are increasingly criticized for this type of security problems. One of the most evocative examples is that of the “PolyNetwork Drama” . Last year, this other decentralized system suffered a hack, amounting to millions. The Binance Smart Chain was then exploited, allowing hackers to steal more than $600 million in cryptocurrencies.
In principle, a DeFi platform offers many advantages, especially in terms of distributing financial power directly in the hands of users. However, the flaws seem to be more and more numerous, or at least more regularly exposed in the public square.
A risk therefore does exist for any DeFi system. Most of the developers, including those at Li Finance, are embarking on major internal audits to fix any vulnerabilities.
Mea Culpa And Transparency From Li Finance
There were only a few days left before the internal audit of Li Finance, which had been scheduled for a while. The timing of the hacker thus played a crucial role.
When the hack was identified, the Li Finance teams hastened to apologize to all the stolen users. It was of course too late, but this Mea Culpa was essential.
The teams of the DeFi Li Finance platform wanted to be completely transparent about the hack. And the same goes with their degree of responsibility. The security audit has been advanced , and a corrective patch has been directly implemented in order to close this door of infinite approval.
Regarding the siphoned portfolios, Li Finance has already compensated 26 of the 29 portfolios concerned, for a sum amounting to $200,000 in total. However, the remaining 3 digital wallets were substantial. The three of them alone were worth $400,000 . Li Finance said let them the choice, in an attempt to minimize the impact on its cash flow. They have the opportunity to turn their losses into a kind of angel investment , making them active players in this system.
Despite an attempt to make contact and a promise of a reward from Li Finance, the hacker still practices strict radio silence.