LI.FI / lifi-contracts

LI.FI is a cross-chain aggregation protocol that combines multiple bridges and DEXs to enable seamless asset transfers between different blockchains. The protocol uses a diamond pattern (eip-2535) smart contract architecture where a main contract delegates calls to specialized facet contracts that handle specific bridge and DEX integrations. It simplifies cross-chain transfers for both developers and users by providing a single unified solution instead of requiring individual bridge integrations.

Prize distribution and scoring

• Total Prize Pool: $450,000

• Primary Prize Pool: $440,000

• The prize distribution has 2 possible triggers:

  • If one or more valid medium severity findings are found, the total pot size is $50,000
  • If one or more valid high severity findings are found, the total pot size is $450,000

• $10,000 of the prize pot is reserved for Low Severity findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.

  • 1st: $5k
  • 2nd: $2k
  • 3rd: $1.5k
  • 4th: $750
  • 5th: $750

• Scoring described in the competition scoring page.

• Findings Severities described in detail on our docs page.

Severity Definitions:

Please note that the usual Likelihood-Impact matrix applies for this competition. Following are the Impact definitions for a finding.

High Impact:

• An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 20%-100% of the daily total user transfers across all EVM chains supported by LI.FI.

Medium Impact:

• An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 0.5%-20% of the daily total user transfers across all EVM chains supported by LI.FI.
• Issues that could impact numerous users and have serious reputational, legal or financial implications

Low Impact:

• Smaller losses (by stealing, wasting or permanently freezing) - impacting only individual users, or specific tokens, bridges, or specific chains.

Documentation

• Technical Documentation

Scope

• Repository: https://github.com/lifinance/contracts
• Commit: eb12d93c17cf93b27cba7b3a49ebdc9536d7d894
• Files: src/*

Build Instructions

• Build Instructions

Basic POC test

In most cases, if the POC pertains to a particular facet or Periphery contract, it’s best to just add a new test case to the matching test file. All contracts should have at least one matching test file in the test\ directory. In the case you want to make a more minimal POC, you can use the provided template which has helpers to quickly bootstrap a diamond and add facets to the diamond. You will need a basic understanding of EIP-2535.

Basic POC file

Out of scope

• Issues already listed in previous security reports
• Contracts may retain small amounts of dust after transactions despite preventive measures. This is a known and accepted limitation.
• Direct funds sent to contracts cannot be recovered directly but can be extracted through specific transactions. This is a known and accepted risk.
• Contracts are intended to work with our API. Complex operations (like packed facets) may fail without proper construction. Users bypassing the API accept the risk of transaction failures.
• Some contracts prioritize gas efficiency over validation checks, increasing the likelihood of reverting under imperfect conditions. This is by design.
• The repository under review contains updated code that is not yet rolled out to all chains.
• Code in the archive folder is deprecated and outdated, it is not part of the audit.
• We are aware that the repository contains outdated dependencies.
  • Bugs in third party code
  • Third party contracts that are not under the direct control of LI.FI (e.g. the Bridge and DEX contracts)
  • Brute force attacks
  • Rounding errors
  • Extreme market turmoil vulnerability
  • Any vulnerability that is previously known by the LI.FI team

• Automated findings by Lightchaser https://gist.github.com/ChaseTheLight01/c12e5627d5b50fe4ebc5957ea711b014

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.