Decentralized exchange Level Finance has experienced a security breach allowing an attacker to steal more than $1 million of the exchange’s native Level Finance (LVL) token.
Level Finance informed its 20,000 Twitter followers that more than 214,000 of the exchange’s LVL tokens had been drained and swapped into 3,345 Binance Coin (BNB), with an approximate value of $1.01 million.
An exploit targeted our Referral Controller Contract.
— 214k LVL tokens drained to exploiters address. — Attacker swapped LVL to 3,345 BNB — Exploit was isolated from other contracts. — Fix to be deployed in 12 Hrs. — LP’s and DAO treasury UNAFFECTED.
More details to follow.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
According to blockchain security firm Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract contained a bug that allowed for “repeated referral claims” from the same epoch. This was confirmed by Level Finance in a later statement made on Discord.
It seems the @Level__Finance’s LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)
Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R
— PeckShield Inc. (@peckshield) May 1, 2023
Meanwhile, data from Binance chain explorer BSC Scan, the V2 controller contract shows multiple calls of the “claim multiple” function over the past 48 hours.
At the time of writing, the implementation of the contract does not appear to have been altered since the advent of the attack, however Level Finance says that it will deploy a new implementation of the referral contract within the next 12 hours.
The exchange also noted that its liquidity pools and related DAOs remain unaffected by the attack.
According to @DeDotFiSecurity on Twitter, the team says that it has “temporarily shut down the referral program,” which has stopped the exploit.
On Discord, Level Finance said that the exploit had been isolated from other exploits and that users of the exchange should “stand by for a full post mortem.”