A recent security breach in Level Finance, a decentralized exchange, has led to the loss of over $1.1 million worth of the platform’s native LVL tokens. The attack exploited a vulnerability in the “LevelReferralControllerV2” smart contract, revealing the limitations of existing security measures.
How the Hack Occurred
Blockchain security and data analytics company PeckShield uncovered a logic bug in the “claimMultiple function” of the ‘LevelReferralControllerV2’ smart contract. This flaw enabled users to claim referral rewards within the same period repeatedly. The attacker capitalized on this vulnerability by creating multiple referral accounts and utilizing flash loans to amplify referral rewards, ultimately earning $1.1 million.
Temporary Shutdown of the Referral Program
DeDotFiSecurity on Twitter confirmed that Level Finance has temporarily halted its referral program, effectively ending the exploit.
Despite undergoing two audits by independent firms in 2023, Level Finance failed to detect the exploited vulnerability. This incident serves as a reminder that security audits are not foolproof and should not be relied upon solely to guarantee safety. Similar cases have occurred with Merlin DEX and decentralized music platform Audius, which experienced substantial losses despite undergoing security audits.
The Aftermath and Community Response
Following the attack, Level Finance has promised to provide updates as their investigation progresses. The company has reassured users that the exploit did not impact its liquidity pool and DAO treasury. The DAO has presented a proposal inviting the community to vote on handling the 214K LVL tokens added to circulation by the attack. Level Finance is actively working on deploying a fix to address the vulnerability within the next 12 hours.
The Need for Enhanced Security Measures
As decentralized finance continues to expand, the Level Finance hack highlights the importance of adopting a more comprehensive approach to security. Relying solely on security audits is insufficient to prevent attacks, and the industry must collaborate to reinforce the security of Web3 platforms.