Level Finance Hacked: Underwent 2 Audits, Yet $1.1 Million Stolen Through Smart Contract Vulnerability

Level Finance Hacked: Underwent 2 Audits, Yet $1.1 Million Stolen Through Smart Contract Vulnerability

The recent Level Finance hack on May 1st resulted in the loss of over $1.1 million worth of LVL tokens. This analysis examines the smart contract flaw, the attacker's strategy, the role of security audits, and the response from the Level Finance community. 

The Smart Contract Flaw and Attacker's Strategy

The Level Finance hack was made possible by a logic bug in the claimMultiple function of the 'LevelReferralControllerV2' smart contract. This flaw allowed users to repeatedly claim referral rewards within the same epoch (period). The attacker exploited this vulnerability by creating multiple referral accounts and using flash loans, single-transaction borrowing, and return schemes to amplify referral rewards.

To maximize their gains, the attacker performed dozens of swaps from one token to another, getting a reward for the action every time. They made several attempts to exploit the flaw before eventually succeeding in launching the hack and stealing $1.1 million.

The Role of Security Audits and Their Limitations

Level Finance had undergone two audits from independent firms in 2023, but the exploited vulnerability still slipped through. This incident highlights the limitations of security audits and the need for more comprehensive approaches to ensure platform safety. Audits are not foolproof and should not be treated as a guarantee of safety.

Similar cases have occurred with DEX Merlin, which we covered a couple of days ago, and decentralized music platform Audius, which suffered substantial losses despite undergoing security audits. These incidents emphasize the importance of continuous monitoring and updating of smart contracts and the need for the industry to invest in advanced security solutions and practices.

The Aftermath, Community Response, and Lessons Learned

Following the attack, Level Finance assured users its liquidity pool and DAO treasury were unaffected by the exploit. A proposal has been released by the DAO, asking the community to vote on handling the 214K LVL tokens added to circulation by the attack. Level Finance is working on deploying a fix to address the vulnerability within 12 hours and has promised to provide updates as their investigation progresses.

The Level Finance hack is yet again a crucial lesson for the decentralized finance industry. To strengthen the security of Web3 platforms, the industry must adopt a more comprehensive approach, including continuous monitoring. Security audits, while important, are only one aspect of a robust security strategy, and this incident is a reminder of the need for a multi-layered defense against potential threats.

Next generation threat prevention

Book a Demo

Next generation blockchain threat prevention

Identify patterns and anomalies across blockchains in real-time for proactive mitigation.

Book a Demo
Next generation blockchain threat prevention- Identifies patterns and anomalies across web3 in real-time for proactive mitigation.