Hackers stole 214,000 LVL tokens from the decentralized exchange and exchanged them for 3,345 BNB, which is worth almost $1,000,000, by taking advantage of a Level Finance smart contract weakness. The DAO treasury and Level Finance’s liquidity pool were unaffected by the assault, and the exploit was isolated from all other contracts, according to Level Finance. However, the LVL token lost over 50% of its value after the hack was made public.
As soon as the inquiry yields further information, the corporation has pledged to publish updates on the issue. Since then, the DAO has released a proposal that seeks community input on how to manage the 214K LVL tokens that the assault has introduced to the market. According to blockchain security and data analytics startup PeckShield, the hacked smart contract, “LevelReferralControllerV2,” has a logic flaw in the claimMultiple function that permits users to repeatedly claim referral incentives inside the same epoch (period of time). The same conclusion has been reached by smart contract auditor BlockSec, who also noted that the hacker has failed to exploit the weakness many times since last week.
“Specifically, the claim reward was determined by the tier of referral and reward points, hence the attacker made the following preparation: 1) creating and setting many referrals; 2) using flashloan to perform dozens of swap (the reward was updated in the postSwap function),” explained BlockSec on Twitter.
The attacker set up many referral accounts to maximize the profits they may get by taking advantage of the smart contract defect. The use of flashloans (single-transaction borrow and return) increased the referral benefits and allowed the attacker to carry out several token swaps while earning rewards each time. Recently, the hacker finally followed the correct procedures and launched the attack that netted them $1.1 million.
Although Level Finance made every effort to safeguard assets by requesting two audits from unbiased companies, the hacker could still use the code to steal money using overlooked bugs. Even though Level Finance was twice audited in 2023, it is unknown whether the vulnerable function was also audited or added later. As we’ve seen several times before, security audits are neither foolproof nor should they be regarded as a guarantee of safety and security.
Due to a “major fault in the structural integrity and controls of the platform” last week, DEX Merlin had its liquidity pool emptied of $1.82 million by dishonest insiders. This happened shortly after DEX Merlin stated that CertiK, a blockchain security company, had conducted a successful audit. Last year, a hacker used a vulnerability in a system that had already undergone two comprehensive security audits from different auditors since it had been released to steal $6 million worth of tokens from the decentralized music platform Audius.