LI.FI publishes incident report about nearly $12 million hack, blames ‘human error'

LI.FI, the popular cross-chain blockchain protocol, exploited on Tuesday, has published an incident report showing that an “individual human error” during a smart contract update left the protocol vulnerable to bad actors. An estimated 153 wallets were affected, with losses nearing $12 million worth of USDC, USDT and DAI stablecoins.

“Upon detecting the security breach, our team immediately activated the incident response plan, successfully disabling the vulnerable facet across all chains. This action contained the threat and prevented any further unauthorized access,” the team wrote in the report published Thursday.

The team goes on to say they were able to quickly detect the security breach, activate an “incident response plan” and disable the faulty code, thereby containing the threat and preventing “any further unauthorized access.”

According to the report, the vulnerability stemmed from an issue with validating transactions through an issue with how the protocol interacted with a shared LibSwap code library used by multiple decentralized exchanges and other DeFi protocols due to “an individual human error in overseeing the deployment process.”

Security firm Decurity previously suggested the “root cause” appeared to be an issue with an update to one of LI.FI’s smart contracts.

LI.FI said its primary concern now is assisting in the recovery of user funds, and is collaborating with law enforcement authorities and web3 security firms on that front.

“If you are an affected wallet holder, please complete the following form so that we can get in touch with you directly. Your cooperation is greatly appreciated,” the team wrote.

LI.FI is a protocol that allows users to trade across various blockchains and is integrated into a number of wallets. Security firm PeckShield found the protocol suffered a similar exploit resulting in a $600,000 loss in 2022.