Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 201Smart Contract Bug

LI.FI Facet Approval Drain

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

Date
Victim
LI.FI
Chain(s)
EthereumArbitrum
Status
Partially Recovered

On July 16, 2024, the cross-chain liquidity protocol LI.FI was exploited for approximately $11.6 million. The bug was a single missing validation check in a freshly deployed facet of LI.FI's diamond-proxy contract — a check the deployer had simply forgotten to include.

What happened

LI.FI's smart contracts use the diamond proxy pattern: a single user-facing contract address routes to a set of pluggable implementation contracts ("facets") that handle specific functionality (bridging, swapping, fee collection, etc.). Users who interact with LI.FI grant token approvals to the diamond proxy, often with infinite allowances — a common DeFi UX pattern.

LI.FI's LibSwap library, used by many of the facets, allows the protocol to make arbitrary calls to any contract during a swap — necessary for routing through unknown DEXs, fee collectors and bridges. The library is intentionally permissive; safety depends on the facets that call it validating the swap targets and calldata before invoking the library.

A new facet shipped on July 16 did not include this validation. Any caller could:

  1. Identify a wallet with an infinite approval to the LI.FI diamond.
  2. Construct a "swap" whose underlying calldata invoked transferFrom() on the victim's allowance.
  3. Submit the swap; LI.FI's facet called LibSwap; LibSwap dispatched the arbitrary call; the victim's tokens were transferred to the attacker.

The attacker swept $11.6M in ETH, USDC, USDT and DAI from wallets that had ever granted infinite approvals to LI.FI. The number of affected wallets was small (the team estimated "a very small number of users"), but those users had high balances.

Aftermath

  • LI.FI paused the diamond within hours of the first malicious transaction and added on-chain warnings on the affected addresses.
  • The team published a detailed post-mortem and committed to full reimbursement of affected users with backing from investors.
  • The exploit was the second LI.FI security incident — a smaller bug in 2022 had cost ~$600,000 through a related approval-handling pattern.

Why it matters

LI.FI is a strong case for two related lessons:

  1. Infinite approvals are infinite trust: any contract a user has ever granted unlimited approval to can drain their tokens forever, including through bugs introduced in future code that didn't exist at approval time. The revoke UX — Revoke.cash et al. — is a partial answer; the better answer is bounded approvals with expiry, which most wallets now offer by default for the EIP-2612 permit pattern.
  2. Permissive primitives need defence in depth: when a library is designed to allow arbitrary calls, every caller of that library is responsible for validating its inputs. A single forgetful facet deployment broke LI.FI's entire trust model.

Sources & on-chain evidence

  1. [01]li.fihttps://li.fi/knowledge-hub/incident-report-16th-july/
  2. [02]coindesk.comhttps://www.coindesk.com/business/2024/07/16/defi-protocol-lifi-struck-by-8m-exploit
  3. [03]unchainedcrypto.comhttps://unchainedcrypto.com/li-fi-drained-of-more-than-10-million-via-wallets-with-infinite-approval-settings/

Related filings