skip to Main Content
bitcoin
Bitcoin (BTC) $ 99,164.57 1.81%
ethereum
Ethereum (ETH) $ 3,481.59 0.79%
tether
Tether (USDT) $ 0.999953 0.10%
xrp
XRP (XRP) $ 2.31 0.37%
bnb
BNB (BNB) $ 704.34 2.07%
solana
Solana (SOL) $ 199.69 2.69%
dogecoin
Dogecoin (DOGE) $ 0.333702 0.92%
usd-coin
USDC (USDC) $ 1.00 0.20%
staked-ether
Lido Staked Ether (STETH) $ 3,474.24 0.72%
cardano
Cardano (ADA) $ 0.918023 0.52%

Level Finance confirms $1M exploit due to buggy smart contract

An attacker manipulated a “claim multiple” bug in a Level Finance smart contract to steal more than 214,000 LVL tokens from the exchange.

254 Total views

9 Total shares

Level Finance confirms $1M exploit due to buggy smart contract

Own this piece of history

Collect this article as an NFT

Decentralized exchange Level Finance has experienced a security breach allowing an attacker to steal more than $1 million of the exchange’s native Level Finance (LVL) token. 

Level Finance informed its 20,000 Twitter followers that more than 214,000 of the exchange’s LVL tokens had been drained and swapped into 3,345 Binance Coin (BNB), with an approximate value of $1.01 million. 

An exploit targeted our Referral Controller Contract.

– 214k LVL tokens drained to exploiters address.

– Attacker swapped LVL to 3,345 BNB

– Exploit was isolated from other contracts.

– Fix to be deployed in 12 Hrs.

– LP’s and DAO treasury UNAFFECTED.

More details to follow.

— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023

According to blockchain security firm Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract contained a bug that allowed for “repeated referral claims” from the same epoch. This was confirmed by Level Finance in a later statement made on Discord.

— PeckShield Inc. (@peckshield) May 1, 2023

Meanwhile,  data from Binance chain explorer BSC Scan, the V2 controller contract shows multiple calls of the “claim multiple” function over the past 48 hours.

At the time of writing, the implementation of the contract does not appear to have been altered since the advent of the attack, however Level Finance says that it will deploy a new implementation of the referral contract within the next 12 hours.

The exchange also noted that its liquidity pools and related DAOs remain unaffected by the attack.

Related: April’s crypto scams, exploits and hacks lead to $103M lost — CertiK

According to @DeDotFiSecurity on Twitter, the team says that it has “temporarily shut down the referral program,” which has stopped the exploit.

On Discord, Level Finance said that the exploit had been isolated from other exploits and that users of the exchange should “stand by for a full post mortem.”

Magazine: Here’s how Ethereum’s ZK-rollups can become interoperable

Loading data ...
Comparison
View chart compare
View table compare
Back To Top