How Does Jumper Exchange Work?
Jumper Exchange is the consumer-facing frontend built on LI.FI. It's one of the most popular bridge+swap interfaces in DeFi — ~$20B cumulative bridge volume across 62 chains. Since it runs on LI.FI, every smart-contract risk belongs to LI.FI's Diamond architecture and the 23+ underlying bridges it routes through. That means: two historical LI.FI exploits (2022 $600K, 2024 $11.6M) both cascaded into Jumper users; every user has outstanding infinite approvals to the LI.FI Diamond; and post-KelpDAO April 2026, any LayerZero-routed flow inherits that exploit's attack vector.
TVL
—
Sector
Bridge
Risk Grade
D+
Value Grade
D
Core Mechanisms
8.1.2 Liquidity pool bridges
Consumer UI on top of LI.FI protocol
Jumper is a frontend, not its own bridge protocol. It uses the LI.FI SDK to route user swaps/bridges through 23+ underlying bridges. All smart-contract risk lives in the LI.FI Diamond.
8.1.3 Message-passing bridges
Inherits LI.FI's 23-bridge routing (LayerZero, Stargate, Across, Hop, CCTP, etc.)
Every bridge LI.FI integrates becomes a Jumper user exposure. Includes LayerZero, which was the KelpDAO April 2026 attack vector.
7.3.1 Points-to-token conversion
Jumper Loyalty Pass (JLP) points program
Jumper runs a gamified points/loyalty program to incentivize usage. Creates potential sybil and farming dynamics.
2.1.2 Percentage-based fee
Swap/bridge markup on top of LI.FI routes
Jumper takes a small spread on each trade, paid to LI.FI economics.
5.4.1 Multisig override
Frontend + contract stack inherited from LI.FI multisig authority
Jumper does not control its own smart contracts; the backing Diamond is LI.FI-controlled via their multisig.
How the Pieces Interact
Every Jumper user grants infinite approvals to the LI.FI Diamond. Any LI.FI facet exploit (two have happened) cascades directly into Jumper users. Large consumer base = large victim surface.
Jumper users' routes can pass through compromised bridges (LayerZero DVN flaw, Across relayer issues, etc.). KelpDAO April 2026 directly demonstrated this risk for LayerZero-routed flows.
Gamified points inflate volume numbers and incentivize sybil farming. Creates skewed expectations for future airdrops and may lead to mercenary usage patterns.
Jumper is a prime phishing target given its broad retail user base. Fake Jumper sites and malicious wallet extensions are a persistent issue.
What Could Go Wrong
- Jumper is the consumer front-end for LI.FI — it inherits every LI.FI vulnerability (two historical exploits, Diamond-facet shared-approval architecture, upstream bridge risks)
- Consumer-facing product means less-sophisticated users grant infinite approvals without understanding the implications, widening the victim surface for any future exploit
- ~$20B cumulative bridge volume means a large historical user footprint with active approvals — any LI.FI facet exploit cascades directly into Jumper users
LI.FI Facet Exploit Cascades Into Jumper User Base
ElevatedTrigger: A third LI.FI Diamond facet exploit (following March 2022 and July 2024) drains user approvals across the Jumper user base
- 1.New facet deployed or existing facet compromised on LI.FI Diamond — Draining path opens on all wallets with LI.FI approvals
- 2.Jumper users — many less-sophisticated than protocol-level LI.FI users — are drained at scale — Mass user losses; consumer-facing brand takes reputational hit
- 3.Jumper issues revocation guidance; LI.FI patches facet — Remediation in progress but damage done
- 4.Trust damage reduces future Jumper volume — Business impact for both Jumper and LI.FI
Risk Profile at a Glance
Overall: D+ (59/100)
Lower score = safer