LI.FI spokesman confirms smart contract exploit that resulted in $11M hack.
Project officials are engaging with law enforcement, advise customers against interacting with LI.FI-powered applications for now.
LI.FI is a protocol that allows users to trade across various blockchains, venues and bridges.

Decentralized finance (DeFi) platform LI.FI protocol has been hit by a roughly $11 million exploit following a series of suspicious withdrawals, on-chain data shows.

"Please do not interact with any LI.FI powered applications for now." LI.FI wrote on X. "We're investigating a potential exploit. If you did not set infinite approval, you are not at risk."

LI.FI is a protocol that allows users to trade across various blockchains, venues and bridges. It suffered a bug with its swapping feature in 2022, resulting in a $600,000 loss, PeckShield described the recent bug as "basically the same."

Initially the amount was tallied at $8 million, but project officials now estimate the total damage from the hack to be about $11 million.

"A smart contract exploit earlier today has been contained and the affected smart contract facet disabled," according to a statement emailed by a spokesman for the project. "There is currently no further risk to users. The only wallets affected were set to infinite approvals, and represented only a very small number of users."

The statement went on: "We are engaging with appropriate law enforcement authorities and relevant third parties, including security teams from the industry, to trace funds. We will issue a more detailed post-mortem as soon as possible."

Crypto security firm Decurity said that the exploit involves the LI.FI bridge.

"The root cause is a possibility of an arbitrary call with user controlled data via `depositToGasZipERC20()` in GasZipFacet which was deployed 5 days ago," Decurity wrote on X.

A report by Immunefi in May revealed that $473 million worth of crypto was lost to hacks, exploits and rug pulls in the first half of 2024.

UPDATE (July 16, 13:48 UTC): Adds link to 2022 exploit that resulted in a $600,000 loss.

UPDATE (July 16, 19:41 UTC): Adds statement from spokesman including updating the size of the hack to $11 million from an earlier reported $8 million.

Hack Exploit Bridge DeFi

Oliver Knight

Oliver Knight joined CoinDesk as a news reporter in April 2022. Before joining CoinDesk, Knight was the Chief Reporter at Coin Rivet for three years. Having graduated with a journalism degree from Birmingham City University, Knight went on to work at various sports publications before diving into the world of Bitcoin in 2014. He does not have any crypto holdings.