Level Finance, a renowned decentralized exchange, recently fell victim to a significant security breach. The attacker exploited a flaw in the platform’s smart contract, known as “claim multiple,” which resulted in the theft of over 214,000 Level Finance (LVL) tokens. The stolen LVL tokens were converted into 3,345 Binance Coin, worth approximately $1 million.
Peckshield and BSC Scan Expose Level Finance Vulnerability
Upon discovering the breach, Level Finance promptly notified its 20,000-strong Twitter following of the incident. The exchange further emphasized that the attack solely impacted LVL tokens, not its liquidity pools or related DAOs.
Renowned blockchain security firm Peckshield identified the vulnerability within Level Finance’s “LevelReferralControllerV2” smart contract. The bug enabled “repeated referral claims” from the same epoch, which the attacker exploited to extract numerous LVL tokens. Level Finance later confirmed this finding in an official statement made on Discord.
Data from Binance chain explorer BSC Scan also revealed multiple instances of invoking the “claim multiple” function over the past 48 hours. The compromised v2 controller contract has not been altered since the attack. However, Level Finance has committed to deploying a new implementation of the referral contract within the next 12 hours.
Temporary Shutdown of the Referral Program and the Road to Recovery
To mitigate further damage, DeDotFiSecurity announced on Twitter that the Level Finance team has “temporarily shut down the referral program,” effectively stopping the exploit. The exchange has since isolated the exploit from other potential vulnerabilities and asked its users to “stand by for a full post-mortem.”
As Level Finance moves forward after this significant security breach, it is a stark reminder of the importance of robust smart contract security measures within the decentralized finance (DeFi) sector.
The industry must continuously invest in security improvements to protect users and preserve the integrity of the DeFi ecosystem. Unfortunately, this will unlikely be the last security incident in decentralized finance.