Cross-chain DeFi protocol Li.Fi is suspected to have lost about $11 million in cryptocurrencies in an exploit. The protocol provided the updated figure after blockchain security firm CertiK previously pointed to nearly $9 million earlier Tuesday.

A wallet linked to the suspected hack on Tuesday held nearly $6 million in Ethereum (ETH) along with various amounts of several stablecoins, according to CertiK. The exploit, which is still being investigated, appears to have targeted some Li.Fi users who manually adjusted the settings on their accounts, the protocol’s team said Tuesday in an X post. 

Li.Fi told Decrypt that users are no longer at risk and that the exploit had been "contained."

The crypto wallet that is suspected of holding the stolen funds contains roughly $5.8 million in ether, in addition to USDC, USDT and DAI stablecoins, blockchain data shows

Li.Fi urged users on Tuesday to “immediately use our secluded revoke website,” noting that it had identified four additional security breaches in a Twitter (aka X) post.

Users should revoke permissions via revoke.cash, according to Li.Fi. Traders can visit scan.li.fi to check if their accounts have been compromised.

A hacker likely exploited a vulnerability in the Li.Fi bridge, crypto security firm Decurity said Tuesday in a post on Twitter. 

"The root cause is a possibility of an arbitrary call with user controlled data via depositToGasZipERC20() in GasZipFacet which was deployed 5 days ago," Decurity wrote.

Li.Fi has suffered sizable losses due to security issues in recent years. In 2022, a bug in the protocol’s swapping feature resulted in losses of $600,000 in crypto, according to a post-mortem analysis of the attack by Li.Fi on Medium.

Edited by Andrew Hayward

Editor's note: This story was updated after publication to include new details from Li.Fi.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.