Incident case

LI.FI 2024 facet approval exploit

A newly deployed smart-contract facet omitted validation around arbitrary external calls, allowing an attacker to drain assets from 153 Ethereum and Arbitrum wallets with infinite approvals.

reviewedcurrent

Incident facts

Incident title: LI.FI 2024 facet approval exploit
Bridge: LI.FI
Incident date: 2024-07-16
Incident type: Exploit
Major incident: Yes
Affected chains: Ethereum, Arbitrum
Affected assets: USDC, USDT, DAI
Attack category: Cross Chain Contract Exploit
Reported loss: Approximately $11.6 million
Recovery: Unknown
Reimbursement: Announced
Restart: Reopened
Current outcome: Active After Incident
Resolution: Unresolved
Last reviewed: 2026-06-15
Last verified: 2026-06-15

Timeline events

LI.FI facet exploit disclosed and contained2024-07-16
LI.FI disabled a newly deployed vulnerable facet after unauthorized withdrawals from wallets with infinite approvals on Ethereum and Arbitrum.
Exploit DisclosedHigh
Security incident report and compensation review published2024-07-18
LI.FI attributed the vulnerability to a missing validation check introduced through human deployment error and said full-compensation options were being evaluated.
Incident Report PublishedHigh

Evidence records

Security Incident Report 16th July
LI.FI · Tier 1 · 2024-07-18
Defi Protocol LI.FI Struck by $11M Exploit
CoinDesk · Tier 2 · 2024-07-16

Known unknowns

Later reimbursement completion requires a dedicated source review.
The final law-enforcement and asset-tracing outcome is unknown.