bsc.news
Flawed Smart Contract Leads to Theft
Decentralized Exchange (DEX) Level Finance suffered a security breach that led to the theft of over $1 million in its native $LVL tokens.
An exploit targeted our Referral Controller Contract.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
- 214k LVL tokens drained to exploiters address.
- Attacker swapped LVL to 3,345 BNB
- Exploit was isolated from other contracts.
- Fix to be deployed in 12 Hrs.
- LP's and DAO treasury UNAFFECTED.
More details to follow.
The attacker drained over 214,000 LVL tokens from the exchange before exchanging them for 3,345 Binance Coins.
Blockchain security firm, Peckshield, has investigated the exploit and provided its insights. According to Peckshield, Level Finance's 'LevelReferralControllerV2' smart contract was flawed, allowing for repeated referral claims from the same epoch.
It seems the @Level__Finance's LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)
— PeckShield Inc. (@peckshield) May 1, 2023
Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R
In addition, Binance's chain explorer BSC Scan revealed that the V2 controller smart contract called the 'claim multiple' function several times in the past two days. Meanwhile, the decentralized exchange has promised to deploy a new referral contract in the next 12 hours.
Additionally, Level Finance DEX noted that its liquidity polls (LP) associated with decentralized autonomous organizations (DAOs) were not affected. Level Finance stated that the attack was isolated from other exploits and that platform users should "stand by for a full postmortem."
Following the news of the attack and as the exploiter was selling Level ($LVL), the altcoin's price fell almost 50%. $LVL is trading at $7.65, down 11.36% in 24 hours, according to CoinMarketcap.