Beosin: LI.FI attacker uses the call injection of the project contract to transfer the user assets authorized to the contract
According to Beosin Alert monitoring and warning, the cross-chain protocol LI.FI attacked, and the Beosin security team found the vulnerability because the attacker used the call injection of the project contract to transfer the user assets authorized to the contract. LI.FI the project contract has a depositToGasZipERC20 function that can exchange the specified tokens for platform coins and deposit them in the GasZip contract, but the code at the exchange logic does not restrict the data of the call call, which allows attackers to use this function to carry out call injection attacks and extract the assets authorized by the contract.
Attacker address: 0x8B.... DcF3. Attacked contract: 0x1231.... F4EaE.