Level Finance Hack: $1.1 Million Exploit Exposes Smart Contract Vulnerability

A recent security breach in Level Finance, a decentralized exchange, has led to the loss of over $1.1 million worth of the platform’s native LVL tokens. The attack exploited a vulnerability in the “LevelReferralControllerV2” smart contract, revealing the limitations of existing security measures.

How the Hack Occurred

Blockchain security and data analytics company PeckShield uncovered a logic bug in the “claimMultiple function” of the ‘LevelReferralControllerV2’ smart contract. This flaw enabled users to claim referral rewards within the same period repeatedly. The attacker capitalized on this vulnerability by creating multiple referral accounts and utilizing flash loans to amplify referral rewards, ultimately earning $1.1 million.

An exploit targeted our Referral Controller Contract.

– 214k LVL tokens drained to exploiters address.
– Attacker swapped LVL to 3,345 BNB
– Exploit was isolated from other contracts.
– Fix to be deployed in 12 Hrs.
– LP's and DAO treasury UNAFFECTED.

More details to follow.

— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023

Temporary Shutdown of the Referral Program

DeDotFiSecurity on Twitter confirmed that Level Finance has temporarily halted its referral program, effectively ending the exploit.

2/ $LVL team says claims that the referral contract was exploited.

The referral program is now temporarily shut down.

Team also claims that the exploit is isolated from other contracts. pic.twitter.com/vi3GXjzR2X

— De.Fi 🛡️ Web3 Antivirus (@DeDotFiSecurity) May 1, 2023

Despite undergoing two audits by independent firms in 2023, Level Finance failed to detect the exploited vulnerability. This incident serves as a reminder that security audits are not foolproof and should not be relied upon solely to guarantee safety. Similar cases have occurred with Merlin DEX and decentralized music platform Audius, which experienced substantial losses despite undergoing security audits.

The Aftermath and Community Response

Following the attack, Level Finance has promised to provide updates as their investigation progresses. The company has reassured users that the exploit did not impact its liquidity pool and DAO treasury. The DAO has presented a proposal inviting the community to vote on handling the 214K LVL tokens added to circulation by the attack. Level Finance is actively working on deploying a fix to address the vulnerability within the next 12 hours.

The Need for Enhanced Security Measures

As decentralized finance continues to expand, the Level Finance hack highlights the importance of adopting a more comprehensive approach to security. Relying solely on security audits is insufficient to prevent attacks, and the industry must collaborate to reinforce the security of Web3 platforms.