LiFi Protocol (Jumper Exchange): Call Injection via Unvalidated Swap Function
LiFi lost $9.73M when an unaudited new contract facet introduced a call-injection vulnerability that allowed an attacker to drain infinite-approval wallets across multiple chains — the exact same vulnerability class as LiFi's own 2022 hack.
Summary #
LiFi Protocol (Jumper Exchange) suffered a Cross-Chain Bridge Aggregator / DEX Aggregator on 2024-07-16, resulting in a loss of approximately $10M.
What happened #
LiFi lost $9.73M when an unaudited new contract facet introduced a call-injection vulnerability that allowed an attacker to drain infinite-approval wallets across multiple chains — the exact same vulnerability class as LiFi's own 2022 hack.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — new facet was not audited]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited new code]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — new facet deployed July 11, 5 days before exploit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]