Lifinity USDC pool drained by arbitrage bot

Decentralized exchange (DEX) Lifinity had its LFNTY-USDC pool drained by an arbitrage bot on Dec. 8. According to Lifinity’s Discord channel, an unexpected response to a failed trade caused the $699,090 loss.

A Lifinity’s core member known as Durden explained that a bot attempted an arbitrage trade following the route USDC > xLFNTY > LFNTY > USDC, trying to profit from price discrepancies between different trading pairs.

Here’s how the events transpired in the @Lifinity_io Discord when the 700k arb happened

I noticed something wrong with LFNTY’s price and alerted zoro, one of the devs on the platform.

At first glance, it appeared that the protocol had gotten hacked pic.twitter.com/ebXfK9pDW3

— Shardo (@DrashoWho) December 8, 2023

The bot initiated an Immediate-or-Cancel (IOC) market order on Serum v3, a type of order that must be executed immediately at the current market price if filled. Orders that cannot be filled immediately are canceled.

“But instead of returning an error, as most programs do, it returned 0 amount out. Our pools processed the 0 amount in and also returned 0 amount out,” Durden noted, before explaining that it led the program to update the last transaction price to 0, making the next starting price also 0. “Since it’s a CP curve, the actual price won’t be 0, but the pool did offer an extremely low price, resulting in the drain right after.”

Lifinity v1 is an automated market maker (AMM), which means it uses algorithms to create liquidity in trading pairs. According to Durden, it relies on constant product market maker (CPMM), a specific type of AMM model, to maintain an equilibrium between two token quantities in a liquidity pool.

Other decentralized exchanges, such as Unisawp and Bancor, also use this model. Lifinity v1 doesn’t support a standard constant product (CP) curve used in traditional CPMMs, but it can replicate its function. One of the solutions used to replicate it was calling a “last price” function to the next starting price. However, since the bug returned a 0 price, the bot was able to exploit the discrepancy and wipe out the funds.

Cointelegraph reached out to Lifinity’s team but did not receive an immediate response. On X (former Twitter), a community member pointed out that the incident was not a result of an attack.

Lifinity’s team is apparently working on reintroducing liquidity to the pool while reviewing the protocol code and attempting to recover funds. Trades resulting in 0 amounts are no longer accepted.

Magazine: Exclusive — 2 years after John McAfee’s death, widow Janice is broke and needs answers