Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

LiFi is a DEX aggregation protocol. Recently, they added a new contract to the code. This contract took in input for a swap but allowed the calling of an arbitrary address with arbitrary data without any input validation.

Since an attacker controlled the call and data from the context of the contract, it was possible to abuse the approvals on ERC20 contracts with a confused-deputy-like attack. If a user had approvals on this contract, the funds could be stolen by an attacker. By doing this, they netted themselves about 10M.

According to the post, the Socket protocol hack earlier in 2024 was likely the same attacker. Such of the same code was used and it was a very similar attack.

The most interesting part to me is the timing of this. The contract had only been deployed for a few days and appeared to have NOT received an audit before launch. It's really true that every line of code released should be audited in some capacity. Otherwise, a bug can slip through the cracks.