News
Level Finance [LVL] confirms $1 million exploit due to bug
Level Finance witnessed a security compromise, allowing an attacker to steal more than $1 million of its native Level Finance (LVL) token.
- An attacker stole more than $1 million of Level Finance’s native Level Finance [LVL] token.
- Euler Finance ($197 million stolen) and Sentiment ($1 million stolen) are two of the year’s most notable hacks.
Level Finance, a decentralized exchange, witnessed a security compromise on 1 May, allowing an attacker to steal more than $1 million of the platform’s native LVL token.
Level Finance alerted its 20,000 Twitter followers that over 214,000 of the exchange’s LVL tokens had been stolen and exchanged for 3,345 Binance Coin [BNB], with a market worth of around $1.01 million.
An exploit targeted our Referral Controller Contract.
– 214k LVL tokens drained to exploiters address.
– Attacker swapped LVL to 3,345 BNB
– Exploit was isolated from other contracts.
– Fix to be deployed in 12 Hrs.
– LP's and DAO treasury UNAFFECTED.More details to follow.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
Level Finance: How the hack took place
Level Finance’s “LevelReferralControllerV2” smart contract featured a fault that allowed for “repeated referral claims” from the same period, according to blockchain security startup Peckshield. The exchange also verified this in a later statement on Discord.
The v2 controller contract has received multiple calls to the “claim multiple” function within the last 48 hours, according to data from Binance chain explorer BSC Scan.
As of now, the contract’s implementation does not appear to have changed after the attack. However, Level Finance stated that it would release a fresh implementation of the referral contract within the following 12 hours.
The exchange also stated that the hack had no effect on its liquidity pools or connected DAOs.
According to DeDotFiSecurity, the team has temporarily shut down the referral program, effectively ending the attack.
2/ $LVL team says claims that the referral contract was exploited.
The referral program is now temporarily shut down.
Team also claims that the exploit is isolated from other contracts. pic.twitter.com/vi3GXjzR2X
— De.Fi ?️ Web3 Antivirus (@DeDotFiSecurity) May 1, 2023
Level Finance announced on Discord that the issue has been isolated from other exploits and that exchange users should “stand by for a full postmortem.”
DeFi attacks continue in 2023
Level finance is a permanent market that is decentralized and non-custodial. The platform, built on BNB Chain, now has a TVL of $32.5 million. It had a TVL of around $41 million prior to the attack.
Level Finance claims to offer programmable pools of liquidity, efficient capital hedging, and risk management, among other things. The network’s utility token, the LVL token, incentivizes adoption across the entire ecosystem.
