Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Decentralized exchange Level Finance has faced a security incident that enabled an attacker to take over more than $1 million worth of the exchange’s native Level Finance (LVL) token.
Level Finance notified its 20,000 Twitter followers that over 214,000 of the exchange’s LVL tokens had been siphoned off and exchanged for 3,345 Binance Coin (BNB), valued at approximately $1.01 million.
An exploit targeted our Referral Controller Contract.
– 214k LVL tokens drained to the exploiters’ address.
– Attacker exchanged LVL for 3,345 BNB
– Exploit was contained to this contract.
– A fix will be implemented in 12 hours.
– LPs and DAO treasury UNAFFECTED.
Further details will be provided.— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
As reported by blockchain security firm Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract had a vulnerability that permitted “repeated referral claims” from the same epoch. This was later corroborated by Level Finance in a statement on Discord.
It appears that @Level__Finance’s LevelReferralControllerV2 contract has a flaw that allows for repeated referral claims from the same epoch. To date, 214k LVLs have been drained and exchanged for 3,345 BNB (~1M)
Here is an example of the hack transaction: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R— PeckShield Inc. (@peckshield) May 1, 2023
Additionally, data from Binance chain explorer BSC Scan indicates that the V2 controller contract has seen multiple calls to the “claim multiple” function in the last 48 hours.
Related Posts
At the time of this report, the contract’s implementation does not seem to have been modified since the attack occurred; however, Level Finance has stated that a new version of the referral contract will be rolled out within the next 12 hours.
The exchange also confirmed that its liquidity pools and associated DAOs remain unaffected by the incident.
Related: April’s crypto scams, exploits and hacks lead to $103M lost — CertiK
According to @DeDotFiSecurity on Twitter, the team has “temporarily suspended the referral program,” effectively halting the exploit.
On Discord, Level Finance indicated that the exploit had been contained from other vulnerabilities and that users of the exchange should “await a comprehensive post mortem.”
Magazine: Here’s how Ethereum’s ZK-rollups can become interoperable
