Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

LI.FI is a cross-chain bridge aggregation protocol. This allows for a multi-chain strategy.

When performing a swap or transfer of coins between chains, the public function swapAndStartBridgeTokensViaCBridge is called. Eventually, this hits the library function LibSwap.swap() with additional validation checks to ensure no shenanigans are being performed.

The function swap() makes a low level function call to call(). In order to make this call, both the variables callTo and callData are fully controlled by the user making the swap.

In the context of smart contracts, this gives the ability to invoke arbitrary smart contract functions within the context of this contract; even a function that we create! In other words, we can run system on this. They seem to have static analysis in place for the smart contracts, as they added // solhint-disable-next-line avoid-low-level-calls as a comment to prevent it from looking at this bad call. Lolz.

This is not as simple as running system in order to steal all of the money. To do this, the attackers created their own contract could be executed to drain user accounts. Since they were in the context of the main contract, they could perform actions on tokens of users that had trusted this contract with infinite approval.

Using this, they drained the accounts of 29 wallets, which is about 600K in US dollars. The post-mortem claims that "...LI.FI is safe to use." Frankly, I wouldn't believe this after such a blatant and horrible attack.