LI.FI Attack Incident Tracking

ChainCatcher news, the cross-chain bridge protocol LI.FI announced that it will start contacting affected users tomorrow to provide details of a voluntary compensation plan. Users participating in the compensation plan need to fill out the relevant form.

ChainCatcher news, according to Beosin Alert monitoring, the cross-chain protocol LI.FI has been attacked. The attacker primarily exploited the project contract's call injection to transfer user assets authorized to the contract. Beosin Trace tracked the stolen funds and found that the loss amounts include 6.3359 million USDT, 3.1919 million USDC, and 169,500 DAI, totaling approximately 10 million USD.The attack occurred on both the ETH and Arbitrum chains. Currently, most of the funds have been converted to ETH with no new developments. Beosin has added the hacker-related addresses to the KYT blacklist and will continue to monitor and track the situation.

ChainCatcher message, Revoke.cash posted on platform X that the LI.FI protocol encountered a token authorization vulnerability earlier today. Revoke.cash has released a vulnerability checking tool, allowing users to quickly check if their addresses are affected. Currently, it is known that the main impact is on the Ethereum network, and some contracts on other chains also have similar issues.

ChainCatcher message, according to Beosin Alert monitoring and early warning, the cross-chain protocol LI.FI has been attacked. The Beosin security team found that the vulnerability was caused by the attacker using a call injection in the project contract to transfer the assets of users authorized to the contract. The LI.FI project contract has a function called depositToGasZipERC20, which can exchange specified tokens for platform tokens and deposit them into the GasZip contract. However, the code in the exchange logic does not restrict the data of the call, allowing the attacker to exploit this function for a call injection attack, extracting the assets of users authorized to the contract.Attacker address: 0x8B3Cb6Bf982798fba233Bca56749e22EEc42DcF3Attacked contract: 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaEAs of now, the total loss includes 6.3359 million USDT, 3.1919 million USDC, and 169,500 DAI, approximately 10 million USD.Beosin Trace is currently tracking the stolen funds.

ChainCatcher message, the community has reported "LI.FI: 4 more security vulnerabilities discovered, all user funds interacting with the LI.FI protocol are at risk." Upon investigation, the related message was posted by a phishing scam fake account, not an official LI.FI message. Users are reminded not to interact or click.

ChainCatcher news, according to the monitoring by Shield, noted that while analyzing today's LI.FI hack, it observed a similar early hack on the LI.FI protocol on March 20, 2022, where the vulnerabilities exploited were essentially the same.Previously, in March 2022, the cross-chain protocol Li.Finance was attacked, with the attacker executing 37 call injections, obtaining approximately $600,000 in assets (204 ETH) from multiple wallets.

ChainCatcher message, according to the official Twitter of the LI.FI protocol, is investigating a potential vulnerability issue. Users are advised to temporarily refrain from using any applications powered by LI.FI and revoke all authorizations for the following addresses:0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae,0x341e94069f53234fE6DabeF707aD424830525715,0xDE1E598b81620773454588B85D6b5D4eEC32573e,0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68.Only users who manually set unlimited authorization are affected.

ChainCatcher message, according to SoSoValue data, yesterday (Eastern Time July 10) the total net inflow of Bitcoin spot ETFs was $147 million. Yesterday, Grayscale ETF GBTC had a net outflow of $8.1525 million, and the historical net outflow of GBTC is currently $18.623 billion.The Bitcoin spot ETF with the highest net inflow yesterday was Fidelity ETF FBTC, with a net inflow of $57.7857 million, and the historical total net inflow of FBTC has reached $9.571 billion. Following that is Franklin Templeton ETF EZBC, with a net inflow of $31.6615 million, and the historical total net inflow of EZBC has reached $379 million.As of now, the total net asset value of Bitcoin spot ETFs is $50.620 billion, and the ETF net asset ratio (market value compared to the total market value of Bitcoin) is 4.47%, with a historical cumulative net inflow of $15.422 billion.

ChainCatcher news, according to Cointelegraph, Bitwise Chief Compliance Officer Katherine Dowling stated that the issues in the S-1 filing have been repeatedly scrutinized between the SEC and potential ETF issuers, and the problems have become "fewer and fewer." A list of eight Ethereum spot ETFs is about to go live, and all signs indicate that we are nearing the finish line for issuance. Several spot Ethereum ETF issuers have been waiting for six weeks for the SEC to sign their S-1 registration statements.Bitwise Chief Investment Officer Matt Hougan speculated that the Ethereum spot ETF could attract up to $15 billion in inflows during the first 18 months of trading—roughly the same amount that the spot Bitcoin ETF attracted in its first six months after launch.Dowling revealed that the U.S. Securities and Exchange Commission is also open to discussions regarding non-Bitcoin and Ethereum products. "We have actually had conversations with the SEC about the possibility of launching new products, and the communication about the prospects of these products has been very well received."Dowling stated, "Some new products may need to wait for the new SEC chair to be approved, but this is a positive dialogue." The Chicago Board Options Exchange (CBOE) submitted a spot listing application for the Solana (SOL) ETF on behalf of VanEck and 21Shares on July 8.