Cross-Chain Protocol Li.Fi Suffers $11M Exploit, Urges Users to Revoke Permissions

Cross-chain DeFi protocol Li.Fi has reportedly lost approximately $11 million due to an exploit. According to CertiK, a wallet associated with the suspected hack held nearly $6 million in Ethereum (ETH) along with various amounts of stablecoins. The ongoing investigation suggests that the exploit targeted some Li.Fi users who had manually adjusted their account settings, the protocol's team stated in a post on X.

Li.Fi reassured users that the exploit has been "contained" and that users are no longer at risk. Blockchain data indicates that the compromised wallet contains roughly $5.8 million in ether, as well as USDC, USDT, and DAI stablecoins.

In a statement on Tuesday, Li.Fi urged users to "immediately use our secluded revoke website" to protect their accounts. The protocol identified four additional security breaches and advised users to revoke permissions through revoke.cash. Traders were also encouraged to visit scan.li.fi to check if their accounts had been compromised.

Crypto security firm Decurity suggested that the exploit may have stemmed from a vulnerability in the Li.Fi bridge. In a post on X, Decurity pointed to a potential issue with the depositToGasZipERC20() function in the GasZipFacet module, which was deployed only five days prior to the attack.

Li.Fi has faced significant security challenges in the past. In 2022, a bug in the protocol’s swapping feature resulted in a loss of $600,000 in cryptocurrency, according to a post-mortem analysis by Li.Fi on Medium.