Level Finance crypto exchange hacked after two security audits

Hackers exploited a Level Finance smart contract vulnerability to drain 214,000 LVL tokens from the decentralized exchange and swapped them for 3,345 BNB, worth approximately $1,100,000.

While Level Finance said the attack did not affect its liquidity pool and the DAO treasury, and the exploit was isolated from all other contracts, the LVL token lost roughly 50% of its value immediately after the attack was made known.

The company has promised to provide updates on the situation as soon as the investigation reveals more. The DAO has since  asking for votes on how the community should handle the 214K LVL tokens added to circulation by the attack.

Blockchain security and data analytics company  that the breached smart contract, ‘LevelReferralControllerV2,’ had a logic bug in the claimMultiple function that allows users to repeatedly claim referral rewards within the same epoch (period of time).

Bug in the contract's code
Bug in the contract’s code (PeckShield)

Smart contract auditor BlockSec has reached the same conclusion, adding that the hacker has attempted to exploit the flaw several times since last week and failed.

“Specifically, the claim reward was determined by the tier of referral and reward points, hence the attacker made the following preparation: 1) creating and setting many referrals; 2) using flashloan to perform dozens of swap (the reward was updated in the postSwap function),” .

The attacker created multiple referral accounts to maximize the rewards they could obtain by exploiting the smart contract bug.

Flashloans (single-transaction borrow and return) were used to amplify the referral rewards further, allowing the attacker to perform dozens of swaps from one token to another, getting a reward for the action every time.

Eventually, the attacker carried out the correct steps yesterday and launched the hack that made them $1.1 million.

Audited does not mean secure

Although Level Finance did its best to protect assets by ordering two audits from independent firms, the hacker still found a way to exploit the code to steal money using missed bugs.

However, while Level Finance was audited twice in 2023, it is unclear if the vulnerable function was audited or added afterwards.

Security audits are neither bulletproof nor should they be treated as an assurance of safety and security as we’ve seen multiple times in the past.

Last week, DEX Merlin was compromised due to a “major fault in the structural integrity and controls of the platform,”  that rogue insiders drained from its liquidity pool. This occurred mere days after DEX Merlin  a successful audit by blockchain security firm CertiK.

Last year, decentralized music platform Audius  after an attacker exploited a flaw in a system that had undergone two in-depth security assessments from separate auditors since it was introduced.