LI.FI Attack: a Cross-chain Bridge Vulnerability? No, It’s Due to Unchecked External Call!

According to the report from the LI.FI project and the Daniel Von Fange’s twitter, LI.FI was attacked on March 20th, 2022. Since there is no detailed technical analysis of this vulnerability, we further analyze the attack in the following. We find the root cause of this attack is unchecked external call.

Attack Transaction

We started from the attack transaction to illustrate the attack process. The following screenshot shows the result of our transaction visualization system.

As shown in the above picutre, the whole attack process is fairly simple, which has no malicious smart contracts deployed and no flashloan involved. The only step the attacker performed is invoking the swapAndStartBridgeTokensViaCBridge(0x01c0a31a) function of the
CBridgeFacet contract, which then transfers various of tokens (e.g. USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI.) from different spenders to the EOA controllered by the attacker.

Code Analysis

We then dive in to the codes of the victim logic contract.

According to the above code, the swapAndStartBridgeTokensViaCBridge is an entrance of a cross-chain transfer in the source chain.

The LIFI project claims they can find the best route for users, named Smart Routing that is happening off-chain. In particular, front-end website computes the best route and encodes the parameters (including swap contract and routing path) into the parameters of the swapAndStartBridgeTokensViaCBridge function.

Clearly, the LIFI project does not consider that the function can be invoked by any accounts on blockchain, since the function performs no checks on the parameters, such as white-list and swap slippage. The most serious part is that the CBridgeFacet contract requires users to approve tokens, which causes the users' money at risk.

Profit

As a result, the attacker steals the money of LIFI users who approved their tokens to the CBridgeFacet contract by invoking the swapAnStartBridgeTokensViaCBridge function, which then invokes the transferFrom functions of different tokens. The loss statistics are shown in below table. The total losses are around $596K, which basically the same with the statistics from the LIFI project.

Lessons

This LIFI is a cross-chain bridge aggregator, and the victim contract is the entrance of the cross-chain transfer. The vulnerability is not due to complicated cross-chain logic, which has been shown in the previous security incidents in the cross-chain bridge. Instead, the root cause of this attack is the unchecked external call, which is one of the top-10 common issues in solidity.

Since the DeFi projects becoming more complex, the project developers need to pay more attentions to write safe codes in addition to writing correct business codes. We strongly recommend that the project should NOT deploy unaudited contracts on blockchains.

References

[1]: LI.FI Smart Contract Vulnerability Post Mortem

[2]: Twitter from Daniel Von Fange

[3]: Announcing Li.Finance — Plug&Play Interoperability

[4]: Solidity Top 10 Common Issues

About BlockSec

--

--

--

A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A Brief Update on OM Circulating Supply

Taxa and Findora Level Up Web3 Infra with Privacy-Preserving Computation

Transparency in the Digital Economy

WorkQuest is a global end-to-end jobs marketplace powered by Blockchain / DeFi

How Self-Governance Empowers the Bondex Community

Blockchain removes opportunity for Theft :: Governments & Banks don’t approve.

Terra Buidlers, Come Build on Rock-Solid Foundations

DAO Governance — Usage Made Easy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

A Blockchain Security and Data Company.

More from Medium

Revisiting the Wormhole Attacks

Solana Exploit: $50 Million Stolen⚠️

Different parsers, different results

Perp v2 Goes Open Source!