The hackers exploited a Level Finance smart contract vulnerability to drain 214,000 LVL tokens from the decentralized exchange and exchanged them for 3,345 BNB, worth around $1,100,000.

While Level Finance said the attack did not affect its liquidity pool and DAO treasury, and the exploit was isolated from all other contracts, the LVL token lost around 50% of its value immediately afterward. revelation of the attack.

Finance level tweet

The company promised to provide updates on the situation as soon as the investigation reveals more. The DAO has since posted a proposal asking for votes on how the community should handle the 214K LVL tokens added to circulation by the attack.

Blockchain Security and Data Analytics Company PeckShield explained that the violated smart contract, “LevelReferralControllerV2”, had a logic bug in the claimMultiple function that allows users to repeatedly claim referral rewards during the same epoch (period of time).

Bug in the contract code
Bug in the contract code (PeckShield)

Smart contract auditor BlockSec came to the same conclusion, adding that the hacker had tried to exploit the flaw multiple times since last week and had failed.

“Specifically, the claim reward was determined by the level of referral and reward points, so the attacker did the following preparation: 1) create and set many referrals; 2) use a flash loan to perform dozens of swaps (the reward has been updated in the postSwap function),” explained BlockSec on Twitter.

The attacker created multiple referral accounts to maximize the rewards he could get by exploiting the smart contract bug.

Flash loans (borrowing and returning in one transaction) were used to further amplify referral rewards, allowing the attacker to make dozens of trades from one token to another, earning a reward for the action every time.

Eventually, the attacker performed the correct steps yesterday and launched the hack which earned them $1.1 million.

Audited does not mean secure

Although Level Finance did its best to protect the assets by commissioning two audits from independent firms, the hacker still found a way to exploit the code to steal money using missed bugs.

However, while Level Finance was audited twice in 2023, it is unclear whether the vulnerable function was audited or added afterwards.

Security audits are neither bulletproof nor should they be treated as safety and security assurance, as we have seen many times in the past.

Last week, DEX Merlin was compromised due to a “major flaw in structural integrity and platform controls”. lose $1.82 million that rogue insiders tapped into its cash pool. This happened just days after DEX Merlin announcement a successful audit by blockchain security company CertiK.

Last year, the decentralized music platform Audius lost $6 million worth of chips after an attacker exploited a flaw in a system that had undergone two thorough security assessments by separate auditors since its introduction.


Source link