Level Finance suffers $1 million hack amid buggy smart contract exploit, loses 214K LVL tokens
|- Level Finance is the latest victim of a hack, losing $1 million after the exploiter used a buggy smart contract.
- The hacker manipulated a “claim multiple” bug to steal over 214,000 LVL tokens from the exchange.
- Peckshield says the smart contract contained a bug that allowed for “repeated referral claims” from the same epoch.
- Level (LVL) price is down almost 25% as a massive sell-off continues.
Level Finance, a renowned decentralized exchange (DEX) is the latest victim of an exploit. Based on a recent report, the company suffered a security breach that saw the exploiter steal over $1 million of the exchange’s ticker token, Level Finance (LVL). The news first came in an official Twitter post from the company, informing its 20,000 followers about the exploit.
An exploit targeted our Referral Controller Contract.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
- 214k LVL tokens drained to exploiters address.
- Attacker swapped LVL to 3,345 BNB
- Exploit was isolated from other contracts.
- Fix to be deployed in 12 Hrs.
- LP's and DAO treasury UNAFFECTED.
More details to follow.
An exploit targeted our Referral Controller Contract.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
- 214k LVL tokens drained to exploiters address.
- Attacker swapped LVL to 3,345 BNB
- Exploit was isolated from other contracts.
- Fix to be deployed in 12 Hrs.
- LP's and DAO treasury UNAFFECTED.
More details to follow.
Based on the revelation, the threat actor drained over 214,000 LVL tokens from the exchange before swapping them for 3,345 Binance Coin. Based on current rates, the loot has an approximate value of $1.01 million.
Mechanism of the exploit, Peckshield
Peckshield, a popular blockchain security firm, has investigated the exploit. An excerpt from the firm’s report states:
Level Finance’s ‘LevelReferralControllerV2’ smart contract contained a bug that allowed for ‘repeated referral claims’ from the same epoch.
It seems the @Level__Finance's LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)
— PeckShield Inc. (@peckshield) May 1, 2023
Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R
It seems the @Level__Finance's LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)
— PeckShield Inc. (@peckshield) May 1, 2023
Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R
Level Finance later confirmed the statement made on Discord.
According to data from Binance chain explorer BSC Scan, the V2 controller smart contract reveals several calls of the ‘claim multiple’ function over the past two days. Meanwhile, as of press time, the implementation of the smart contract seems unaltered since the attack began. Nevertheless, the decentralized exchange has committed to deploying a new implementation of the referral contract over the next 12 hours.
Further, Level Finance DEX also highlighted that its liquidity polls (LP) associated with decentralized autonomous organizations (DAOs) were not affected during the attack.
In a Twitter statement, user @DeDotFiSecurity, acknowledged the Level Finance team saying they had “temporarily shut down the referral program,” to stop the attack as interventions continue.
2/ $LVL team says claims that the referral contract was exploited.
— De.Fi ️ Web3 Antivirus (@DeDotFiSecurity) May 1, 2023
The referral program is now temporarily shut down.
Team also claims that the exploit is isolated from other contracts. pic.twitter.com/vi3GXjzR2X
2/ $LVL team says claims that the referral contract was exploited.
— De.Fi ️ Web3 Antivirus (@DeDotFiSecurity) May 1, 2023
The referral program is now temporarily shut down.
Team also claims that the exploit is isolated from other contracts. pic.twitter.com/vi3GXjzR2X
Meanwhile, Level Finance told its Discord community that the attack had been isolated from other exploits, adding platform users should “stand by for a full post mortem.”
Level price reacts to massive sell-off
Level (LVL) price has reacted to the exploiter selling the altcoin, dropping almost 25% in the last 24 hours to exchange hands at $6.94 at the time of writing.
LVL/USDT 3-hour chart
Notably, Level price recorded an intra-day low of $2.90, representing a 60% descent before a pullback to the current level. The massive sell-off came as LVL holders succumbed to panic and hedged their holdings.
Crypto Twitter appears positive about the exploit after the DEX explained the incident.
https://t.co/cWvwWSCnMi
— Burgerflipper (@trmachine888) May 1, 2023
Bought this dip on $LVL , seems recoverable. Bummed I didnt have BNB on hand cause it went as low as 2. But I had to bridge first.
Lets hope the team solves this but apparently only referral contract compromised. pic.twitter.com/RRFhCIajGN
https://t.co/cWvwWSCnMi
— Burgerflipper (@trmachine888) May 1, 2023
Bought this dip on $LVL , seems recoverable. Bummed I didnt have BNB on hand cause it went as low as 2. But I had to bridge first.
Lets hope the team solves this but apparently only referral contract compromised. pic.twitter.com/RRFhCIajGN
Those who bought the dip at the $2.90 low have made some money, while others await a possible correction in Level price.
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.