Level Finance verifies a $1 million loss because of a flawed smart contract
A malicious actor exploited a “claim multiple” flaw in a Level Finance smart contract to take over 214,000 LVL tokens from the exchange.
A security vulnerability at the decentralized exchange Level Finance allowed an intruder to capture more than $1 million worth of the exchange’s native Level Finance (LVL) token.
Level Finance informed its 20,000 Twitter followers that more than 214,000 LVL tokens had been depleted and exchanged for 3,345 Binance coins valued at approximately $1.01 million.
According to blockchain security company Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract contained a flaw that permitted “repeated referral claims” from the same epoch. This was verified by Level Finance in a subsequent Discord statement.
Moreover, data from Binance’s chain explorer BSC Scan indicates that the v2 controller contract has received multiple calls to the “claim multiple” function within the past 48 hours.
It seems that the contract’s implementation has not changed since the start of the assault, however, Level Finance has promised to roll out a fresh version of the referral contract within the next 12 hours.
Additionally, the exchange stated that its liquidity pools and associated DAOs are unaffected by the attack.
According to DeDotFiSecurity’s Twitter account, the team has “temporarily shut down the referral programme,” putting an end to the exploit.
Level Finance stated on Discord that the exploit had been isolated from other exploits and that exchange users should “stay tuned for a full post mortem.”