LI.FI is exploited to lose nearly 10 million dollars

Li.fi interaction protocol has warned users not to interact with any applications using their infrastructure as the protocol is investigating a potential vulnerability. Only users who have manually set up new unlimited approvals are affected.

Please do not interact with any LI.FI support applications at this time! We are investigating a potential exploit. If you do not have unlimited approval, you will not be at risk. Only users who have manually set unlimited approval are affected. Revoke all approvals for:

0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae 0x341e94069f53234fE6DabeF707aD424830525715 0xDE1E598b81620773454588B85D6b5D4eEC3 2573e 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68″.

The first report of a potential exploit was brought up by user X Sudo, who highlighted that nearly $10 million had been withdrawn from the protocol. Another X user, Wazz, pointed out that the Web3 Rabby wallet had implemented Li.fi as an integrated bridge, warning users to check their permissions and revoke them. Notably, Jumper Exchange is also a popular application using Li.fi services.

Furthermore, after the blockchain security company CertiK shared on X about the ongoing vulnerability, user Nick L. Franklin claimed that this could be a ‘call injection’ attack. This is a technique in the field of cybersecurity, where the attacker inserts commands or calls into an application or system to perform unauthorized actions. It is often a form of injection attack, similar to SQL injection or XSS (Cross-Site Scripting), but instead of inserting code into data or web forms, it inserts commands into calls or communication services between system components.

According to the blockchain security company PeckShield, a similar attack has been used against Li.fi in March 2022