LevelFinance (LVL), a Binance Smart Chain (BSC)-based decentralized exchange, has been exploited for $1 million. The hacker targeted a LevelFinance Referral Controller Contract vulnerability to orchestrate the heist.
Level Finance (LVL), a Binance Smart Chain (BSC) powered decentralized finance (DeFi) protocol that claims to offer liquidity providers an innovative user-elected credit exposure framework, is the latest web3 project to suffer a security breach.
PeckShield Inc, a leading blockchain security company, first noticed an anomaly in the Level Finance protocol and made its findings known during the late hours of May 1. The web3 security firm saw a loophole in the Level Finance smart contract that controls referral bonus claims on the network.
The bug made repeated referral bonus claims from the same epoch possible, enabling the attackers to drain 214,000 LVL tokens from the protocol. The hackers then swapped the stolen LVL for 3,345 BNB valued at roughly $1 million.
LVL token in red
Level Finance confirmed the attack shortly after, clarifying that the exploit did not impact its other smart contracts.
The team claims the Level Finance DAO treasury and LPs were unaffected by the security breach, adding that the vulnerability will be fixed within 12 hours.
It seems the @Level__Finance's LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)
— PeckShield Inc. (@peckshield) May 1, 2023
Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R
At the time of writing, the price of Level Finance’s native LVL token is exchanging hands for $7.7, representing a 10% decline in the last 24 hours. LVL has a market cap of $43,618,277, with a 24-hour trading volume of $24,056,146.
LVL token is down by 31.14% from its all-time high reached on April 14. Despite the latest LVL token price crash, the asset is still up by over 10,000% from its all-time low of 10,242% hit in Jan. 2023, according to CoinGecko.