Dex aggregator Lithium Finance reported a hacker attack, during which 205 ETH (~$591,630) was stolen from 29 wallets connected to the service. The project team closed the exploit and compensated for the losses of most of the users.
According to the report, on March 20, an attacker exploited a vulnerability in the Lithium Finance smart contract that allows transferring assets from the wallets of users who signed an “indefinite approval” for the protocol.
An analyst at the investment company Paradigm under the nickname t11s stressed that even a thorough audit could not reveal this exploit. According to him, Lithium Finance will easily miss an error in the code, and it is “invisible if you are in your right mind.”
When the project team found out about the incident, it disabled all swaps on the platform. However, the hacker managed to withdraw about $600,000 in tokens, including USD Coin (USDC), Polygon (MATIC), Tether (USDT) and others.
The attacker converted the stolen assets into Ethereum. The cryptocurrency is still stored at his address.
Li Finance stated that they reimbursed the losses of 25 wallets for a total amount of $ 80,000. The remaining four wallets account for about $517,000 of stolen funds. The team contacted the owners of the addresses and offered them “special” compensation:
“In order to reduce the damage to our treasury, we propose to convert the lost funds into angel investments of lithium finance and into future li tokens.The Internet is on the same terms as for our investors in the current funding round. […] However, the final decision remains with the users.”
Lee Finance.
“Umbrella network”. The attacker used an exploit in staking contracts for liquidity providers of Ethereum and BNB pools.
As a result of the attack, the hacker withdrew tokens from these pools. The project team stated that the attacker had sold over 2.2 million UMBs on the open market. PeckShield experts estimated the damage at $700,000.
The Umbrella Network guaranteed that they would pay compensation to all affected users. The team also stressed that other smart contracts of the protocol were not affected.
The investigation of the incident has not been completed, detailed information was promised to be published later.
Recall that in March 2022, hackers stole $ 11 million as a result of hacking the Defi protocols of Agave and sto finance.