The cross-chain liquidity aggregation protocol LI.FI suffered a devastating security breach on July 16, 2024, losing approximately $11.6 million in user funds after a newly deployed smart contract facet contained a critical vulnerability. The attack targeted wallets that had previously granted infinite token approvals to the LI.FI contract, affecting 153 individual wallets across Ethereum and Arbitrum.
The Exploit Mechanics
The vulnerability originated from a flawed deployment of a new smart contract facet. According to LI.FI’s official incident report, the exploit was made possible by a missing validation check within the LibSwap library, which facilitates calls to multiple decentralized exchanges, fee collectors, and other entities before bridging or sending funds. In all other existing facets of the LI.FI contract, these external calls are validated against a whitelist of approved contract addresses and functions. However, due to what the team described as an individual human error during the deployment oversight process, this critical validation was absent from the new facet.
This omission allowed callers to the contract to make arbitrary calls to any external contract without validation. The attacker exploited this capability within minutes of the facet going live, draining USDC, USDT, and DAI from wallets that had previously set infinite token approvals for the LI.FI contract. With Bitcoin trading at approximately $65,097 and Ethereum at $3,443 at the time, the exploit sent ripples through the DeFi security community.
Affected Systems
The breach was confined to Ethereum and Arbitrum, where the vulnerable facet had been deployed. LI.FI emphasized that the vulnerability was limited exclusively to infinite approvals and did not affect finite approvals, which remain the default setting within the LI.FI API, SDK, and widget. The 153 affected wallets had all previously granted unlimited spending permissions to the LI.FI contract, a practice that security researchers have long warned against.
The attack vector is particularly concerning because it exploited a common user behavior rather than a novel cryptographic weakness. Infinite token approvals, while convenient for frequent DeFi users, create a persistent attack surface that compounds with every new contract interaction a protocol introduces.
The Mitigation Strategy
Upon detecting the breach, LI.FI’s team immediately activated their incident response plan and disabled the vulnerable facet across all chains. This swift action contained the threat and prevented further unauthorized access. The protocol also engaged with law enforcement authorities, blockchain security firms, and independent researchers to trace and attempt recovery of the stolen funds.
Notable security researchers and organizations including pcaversaccio, zeroshadow, SEAL Org, Hexagate, HypernativeLabs, and others assisted in identifying and addressing the vulnerability. LI.FI also announced that it was evaluating options to fully compensate affected users, backed by its major investors.
Lessons Learned
The LI.FI incident highlights several critical security principles for both protocols and users. First, deployment oversight must include redundant validation checks, particularly for facets that handle arbitrary external calls. A single human error in the review process should not be sufficient to bypass security guardrails. Second, the incident reinforces the danger of infinite token approvals. Users who had granted only finite, per-transaction approvals were entirely unaffected by this exploit. Third, rapid incident response proved essential in limiting the damage.
For DeFi protocols managing cross-chain operations, the LI.FI exploit serves as a stark reminder that the complexity of multi-chain interactions amplifies the attack surface. Each new chain integration and each new contract facet introduces potential failure points that must be rigorously tested before deployment.
User Action Required
Users who interact with any cross-chain bridge or aggregator should immediately review their token approvals. Tools like Revoke.cash and Etherscan’s token approval checker allow users to identify and revoke infinite approvals. Replace them with finite approvals for each transaction, or use protocols that default to per-transaction spending limits. This single practice would have prevented losses for all 153 wallets affected by the LI.FI exploit. As the DeFi ecosystem continues to grow, with total value locked surging past $90 billion, personal security hygiene remains the most effective defense against smart contract vulnerabilities.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before interacting with any DeFi protocol.
a single missing validation check in LibSwap and $11.6m gone. this is why code audits are not optional
audits catch known patterns. this was described as individual human error during deployment. different problem entirely
individual human error during deployment. this is why multi-sig and time locks exist. one person shouldnt be able to ship a facet solo
multi-sig deployment is standard at every serious protocol now. one person shipping a facet solo is a process failure not just a human error
Mike T. audits catch patterns but the deployment process failed here, not the audit. you can audit every facet and still ship a vulnerable one if one person bypasses review
153 wallets drained because of infinite approvals. revoke your old token permissions people, it takes 2 minutes on revoke.cash
infinite approvals are a ticking time bomb. set approvals to exact amounts or use ephemeral approvals. no excuse in 2024
exact amount approvals should be the default in every wallet UI. infinite approvals are a relic from 2020 gas optimization that should have been killed years ago
Pranav G. exact amount approvals are the answer but the UX cost is real. every wallet forces you to calculate gas plus allowance manually. the defaults need to change at the protocol level not just wallet UI