On July 16th, 2024, a critical vulnerability was exploited in LIFI's new facet contract. The attacker used this vulnerability to steal funds from users who had approved more than necessary for the LIFI contracts. Approximately $11.6 million was stolen in the attack, which affected multiple assets in several users' wallets on Ethereum and Arbitrum.

Exploit Analysis

• The attacker targeted the depositToGasZipERC20() function. This function uses the LibSwap.swap() function to swap ERC20 tokens into native tokens but does not validate the user’s input _swapData against a whitelist of approved contract addresses and functions. This lack of validation allows the attacker to perform arbitrary calls to any contracts.

  

  

• The attacker exploited this to execute a transferFrom() call in ERC20 token contract. This enabled the attacker to use the LIFI contract as a spender to transfer tokens directly from approved users' wallets to the attacker’s wallet. This attack affects all users who approved amounts exceeding their actual deposits when using LIFI contracts.

• Here is one of the exploit txs: https://etherscan.io/tx/0xd82fe84e63b1aa52e1ce540582ee0895ba4a71ec5e7a632a3faa1aff3e763873

Conclusion

As a developer, when building your own project, does not trust any user input. Any parameter given must be carefully validated by the code. Calls to untrusted contracts can introduce several unexpected risks or errors. External calls can trigger malicious code, either within the target contract or across its ecosystem. Every external call should be treated as a potential security risk and must be processed with extreme caution.

Additionally, it is strongly recommended to conduct a security audit, not only for the first release version but also for any new features added in the future. Since the upgrading process can introduce various issues, it should also be thoroughly audited.

As a blockchain user, remember: approving tokens grants strangers access to spend them as they please. Avoid infinite approvals, always allocate the exact amount needed for each transaction, even if it incurs additional fees. Proactively review and revoke unnecessary approvals to safeguard your money now.