The Li Finance swap aggregator experienced a smart contract attack which led to around $600,000 lost from 29 users’ wallets, a report said.
The attack happened at 2:51 a.m. UTC Sunday (about 11 p.m. EDT Saturday), according to Cointelegraph.
The attacker was able to exploit a bug in the contract to get various amounts of different tokens from wallets with “infinite approval” on the Li Finance protocol.
The stolen tokens included USD Coin, Polygon, Rocket Pool, Gnosis, Tether, Metaverse Index, Audius, AAVE, Jarvis Reward Token and DAI.
The report said the attack was discovered 12 hours later and all swapping functions were shut down. In a post mortem, the Li Finance team said the attacker swapped the stolen tokens for around 205 ether, which was valued at around $600,000. The ether hadn’t been moved from the attacker’s wallet.
The report says of the 29 wallets hit in the attack, 25 had been reimbursed from treasury funds for their losses, but that only amounted to $80,000, 13% of the total value lost.
The owners of the remaining four wallets, which lost $517,000 combined, have been contacted and offered an investor’s stake to compensate them. The attacker has been contacted and offered a bug bounty.
PYMNTS wrote that the U.S. Department of Labor had recently warned retirement plan fiduciaries to exercise some caution before adding a crypto option to a 401(k) plan investment menu.
Read more: Labor Department Urges Caution on Crypto Retirement Plans
The report said the department had “serious concerns about the prudence of a fiduciary’s decision to expose a 401(k) plan’s participants to direct investments in cryptocurrencies, or other products whose value is tied to cryptocurrencies.”
Because of this, the department’s Employee Benefits Security Administration said it wants to look into plans offering crypto investments.
The department said the people in charge should look forward to being questioned with how they can square their actions with “duties of prudence and loyalty in light of the risks.”