Cyber Incident Victim: Level Finance

On or around May 2, 2023, the Level Finance decentralized cryptocurrency exchange was hacked. The attack involved the exploitation of a smart contract vulnerability, which resulted in a significant financial loss. Hackers drained 214,000 LVL tokens from the platform. These stolen tokens were subsequently swapped for 3,345 BNB, a cryptocurrency on the Binance Smart Chain. At the time of the incident, this amount of BNB was valued at approximately $1.1 million USD. The attack had an immediate and severe impact on the value of the LVL token, which lost roughly fifty percent of its value following the public disclosure of the breach.

The specific smart contract targeted in the attack was identified as 'LevelReferralControllerV2'. Blockchain security and data analytics firm PeckShield analyzed the breach and determined that the contract contained a logic bug. This vulnerability resided within the `claimMultiple` function. The flaw allowed a user to repeatedly claim referral rewards within the same epoch, which is a defined period of time. This repeated claiming was not intended by the protocol's design and created an opportunity for exploitation.

Smart contract auditing firm BlockSec corroborated this finding, confirming the logic bug as the root cause of the incident. Their analysis provided further detail on the preparatory steps taken by the attacker to maximize the impact of the exploit. The attacker first created and set up a large number of referral accounts. This preparatory action was crucial because the value of the claimable reward was determined by the tier of the referral and the accumulated reward points. By creating numerous referrals, the attacker was able to significantly inflate the potential rewards available for claiming.

The attacker then utilized flashloans as a key mechanism to amplify the exploit. A flashloan is a type of uncollateralized loan that is borrowed and repaid within a single transaction block on the blockchain. The attacker used these flashloans to perform dozens of rapid token swaps. Each swap action triggered an update to the reward points in the contract's `postSwap` function. This activity artificially and rapidly increased the reward points associated with the attacker's referral accounts, thereby vastly increasing the value of the rewards that could be illegitimately claimed through the flawed function.

BlockSec also noted that the hacker had made previous attempts to exploit this same vulnerability in the week leading up to the successful attack. These earlier attempts had failed for unknown reasons. The attacker eventually carried out the correct sequence of actions on the day of the incident, successfully executing the hack and extracting the $1.1 million in value. Following the theft, the attacker swapped the ill-gotten LVL tokens for BNB, a common tactic to obfuscate the trail of stolen funds and convert them into a more liquid or stable cryptocurrency.

In its response, Level Finance issued statements aimed at reassuring its users and the broader community. The company stated that the attack was isolated to the specific vulnerable contract and that it did not impact the platform's liquidity pool or the DAO treasury. This indicated that user funds held in liquidity pools were not directly drained by this particular exploit. The company promised to provide further updates as its internal investigation progressed and more information became available.

The decentralized autonomous organization (DAO) associated with Level Finance took governance actions in the aftermath of the attack. The DAO released a formal proposal to its community, asking members to vote on how to handle the 214,000 LVL tokens that had been illicitly added into circulation by the attacker. This proposal acknowledged the inflationary pressure caused by the sudden creation of these new tokens and sought a community-driven decision on the appropriate remedial measures, such as potentially buying back and burning the tokens or implementing another mechanism to address the supply shock.

A notable aspect of this incident was that Level Finance had previously engaged in efforts to secure its smart contracts through independent reviews. The platform had undergone two security audits conducted by external firms prior to the attack. Despite these audits, the critical logic bug in the `claimMultiple` function was not identified or was introduced after the audits were completed. It remains unclear from available information whether the vulnerable `LevelReferralControllerV2` contract or its specific functions were included in the scope of either of the two prior audits. This event highlighted the recurring theme in the cryptocurrency space that security audits, while valuable, are not a guarantee of absolute security and do not eliminate all risk of vulnerabilities.

The financial consequences of the breach were twofold. The most direct impact was the loss of $1.1 million in assets drained from the protocol. The secondary, and equally significant, impact was the massive devaluation of the LVL token itself, which cratered by fifty percent. This loss in market capitalization affected all token holders and damaged confidence in the platform. The incident also served as another case study in a pattern of similar attacks on audited projects within the decentralized finance ecosystem. The article references other recent incidents, including the hack of DEX Merlin, which lost $1.82 million days after announcing an audit, and the 2022 exploit of Audius, which lost $6 million in tokens despite having undergone two separate security assessments. The Level Finance hack therefore fits into a broader narrative of sophisticated attackers finding critical vulnerabilities that evade multiple layers of security review.