In a recent report from Limited Results (via AppleInsider), it appears that they have discovered that LIFX’s HomeKit enabled smart bulbs do not encrypt the WiFi passwords that it stores. This means that in theory, hackers could be able to see your WiFi passwords and give them access to the local network. From there they could launch a variety of attacks if they so desired.
Thankfully though, the process involved to gain access to the stored WiFi passwords requires the attacker to have physical access to the bulb, and will need to do some removal of parts to get to the logic board where the passwords are stored. This means that there is a low chance of you actually getting hacked.
However the fact that the passwords are unencrypted is a security issue by itself and should probably be addressed all the same. The researcher informed LIFX of this issue back in may 2018 but it seems that until now, the issue has yet to be resolved.