Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract.

Mar 20, 2022 · 11:37 PM UTC

14
73
17
429
Since the contract was designed to make multiple swaps in a single transaction, the attacker sent a single huge transaction with a wall of transferFrom's for the contract to send, each moving money from a user that had approved the contract, to the attacker:
1
42
Replying to @danielvf
Having no transferFrom / approve solves this.
Replying to @danielvf
That's.. not great. 🧐
1
Replying to @danielvf
👀
1
Replying to @danielvf
The obvious question is why is there a lack of security standardization/checks that prevents insecure contracts from being deployed in the first place?
1
Replying to @danielvf
Sound familiar @transmissions11 ? 😅
1
4
Replying to @danielvf
// solhint-disable-next-line avoid-low-level-calls that's really putting salt in the wound ._.
3
1
47
Replying to @danielvf
Remember that debug button back in VB days— need one of those for smart contracts
Replying to @danielvf
Contract copy paste...
Replying to @danielvf
Just another day in ethereum blockchain...
Load more