Analyzing the LI.FI Security Breach: Implications for Blockchain, Smart Contract, and Web3 Security
Introduction
On July 16, 2024, a significant security breach occurred in the LI.FI smart contract, resulting in the loss of approximately $11.6 million. This incident underscores the importance of robust blockchain security measures and the ongoing challenges faced by Web3 platforms. As blockchain technology and smart contracts become more integral to the digital economy, understanding and addressing security vulnerabilities is crucial for developers, audit firms, and Web3 security researchers.
The Incident: A Detailed Breakdown
Security Incident Overview
The breach in the LI.FI contract happened shortly after the deployment of a new smart contract facet. This vulnerability allowed the attacker to exploit user self-custodial wallets that had granted infinite token approvals to the LI.FI contract. The attack affected 153 wallets across Ethereum and Arbitrum, leading to the unauthorized draining of assets including USDC, USDT, and DAI. Notably, the vulnerability was specific to infinite approvals and did not impact finite approvals, which are the default settings within the LI.FI API, SDK, and widget.
Incident Response
Upon detecting the breach, LI.FI's security team quickly activated their incident response plan, successfully disabling the vulnerable facet across all chains to contain the threat and prevent further unauthorized access.
Technical Breakdown of the Vulnerability
The vulnerability emerged from a deployment error in a newly added smart contract facet. Specifically, callers to the contract could make arbitrary calls to any contract without validation. This was facilitated by the LibSwap library, which is designed to make calls to multiple decentralized exchanges (DEXs), fee collectors, and other entities before bridging or sending funds to a user. While other facets of the LI.FI contract validate these calls against a whitelist of approved contract addresses and functions, the new facet missed this crucial validation check due to human error during deployment.
Links to the Impacted Facet:
Recovery Efforts
Recovering the stolen assets is LI.FI's top priority. The team is working closely with law enforcement authorities and industry security teams to trace and recover the funds. Additionally, LI.FI, supported by its major investors, is evaluating options to compensate the affected users.
Affected users are encouraged to fill out this form to facilitate direct communication and support. The community's cooperation is essential for effective recovery efforts.
Contributions from Security Researchers
LI.FI acknowledges the invaluable assistance from numerous security researchers who have been instrumental in identifying and addressing the vulnerability:
- @pcaversaccio
- @zeroshadow_io
- @_SEAL_Org
- @0xleastwood
- @tracelon_
- @hexagate_
- @0xVazi
- @HypernativeLabs
- @invlpgtbl
- @Ash42Z
- @aliciakatz
Looking Ahead: Enhancing Blockchain Security
Commitment to Security
LI.FI remains committed to the safety and security of its protocol and user assets. The following security measures and policies are in place to prevent future incidents:
- Multiple audits by various firms
- Monthly retainer with an auditing firm for timely reviews
- Backend infrastructure and API pen-testing (both whitebox and blackbox) by an external security firm
- Bug bounty programs
- An Incident Response Framework
- Extensive security assessments of integrated third-party systems
- Compliance with multiple NIST security policies
Reassessing Deployment Processes
The incident highlighted a flaw in the deployment review process, which LI.FI has already begun reassessing to prevent similar vulnerabilities in the future. Continuous collaboration with security experts is essential for improving these processes and policies.
Conclusion
The LI.FI security breach serves as a critical lesson for the blockchain and Web3 communities. It underscores the importance of meticulous deployment procedures, continuous monitoring, and proactive incident response strategies. As the digital landscape evolves, so too must the security measures designed to protect it.
Recommendations:
- Engage in Community Discussions: Join forums and groups to stay updated on the latest security trends and share insights.
- Access Further Training Resources: Invest in training programs and certifications to enhance your understanding of blockchain security.
- Explore Advanced Security Tools: Integrate automated auditing tools and real-time monitoring solutions into your security framework.
For further insights on the Web3 security space and engagement with top-tier smart contract auditors in the industry, join our TRUSTBYTES Discord.