Level Finance confirms $1M exploit due to buggy smart contract

5


Decentralized exchange Level Finance has experienced a security breach allowing an attacker to steal more than $1 million of the exchange’s native Level Finance (LVL) token. 

Level Finance informed its 20,000 Twitter followers that more than 214,000 of the exchange’s LVL tokens had been drained and swapped into 3,345 Binance Coin (BNB), with an approximate value of $1.01 million. 

According to blockchain security firm Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract contained a bug that allowed for “repeated referral claims” from the same epoch. This was confirmed by Level Finance in a later statement made on Discord.

Meanwhile, according to data from Binance chain explorer BSC Scan, the v2 controller contract shows multiple calls of the “claim multiple” function over the past 48 hours.

At the time of writing, the implementation of the contract does not appear to have been altered since the advent of the attack; however, Level Finance said that it would deploy a new implementation of the referral contract within the next 12 hours.

The exchange also noted that its liquidity pools and related DAOs remain unaffected by the attack.

Related: April’s crypto scams, exploits and hacks lead to $103M lost — CertiK

According to DeDotFiSecurity on Twitter, the team says that it has “temporarily shut down the referral program,” which has stopped the exploit.

On Discord, Level Finance said that the exploit had been isolated from other exploits and that users of the exchange should “stand by for a full post mortem.”