An attack on the Level Finance decentralized perpetual exchange on the BNB Chain resulted in the theft of more than $1 million worth of the exchange’s native Level Finance (LVL) token.
In an announcement on May 1, the decentralized platform acknowledged the occurrence and informed its Twitter followers that more than 214,000 LVL tokens from the exchange had been stolen and exchanged for 3,345 Binance Coins (BNB), which at press time had an estimated worth of $1,500,000.
An exploit targeted our Referral Controller Contract.
– 214k LVL tokens drained to exploiters address.
– Attacker swapped LVL to 3,345 BNB
– Exploit was isolated from other contracts.
– Fix to be deployed in 12 Hrs.
– LP's and DAO treasury UNAFFECTED.More details to follow.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
Even though the exploit was isolated from other contracts and the liquidity pools and the decentralized autonomous organization (DAO) treasury were unaffected, according to their brief statement on Twitter, the attacker was still able to exchange the stolen LVL tokens for 3,345 Binance Coins (BNB).
Level Finance moves to address the issue
They continued to say that the fix would be implemented within 12 hours of their statement while advising the exchange users to prepare for a full post-mortem.
Furthermore, the blockchain security company Peckshield said Level Finance’s “LevelReferralControllerV2” smart contract had a bug that permitted “repeated referral claims” from the same epoch.
The hacker reportedly set up an unconfirmed contract a week ago and is allegedly extracting LVL tokens progressively in units of 15,000 via the delegate function, according to certain sources on the CoinMarketCap Community, which is also confirmed by De.Fi Web3 Antivirus on Twitter. Likewise, they claimed that Tornado Cash, a well-known provider of crypto-mixing services, was where the attacker’s funding came from.
🚨 @Level__Finance is UNDER THE ATTACK! 🚨
• An attacker created an unverified contract 7 days ago;
• Using contract's delegate function, attacker is now withdrawing $LVL tokens. pic.twitter.com/UJdM8fO6dj
— De.Fi 🛡️ Web3 Antivirus (@DeDotFiSecurity) May 1, 2023
The importance of thorough code review and testing emphasized
Before deploying a smart contract, some Twitter users underline the significance of developers carrying out audits frequently and thoroughly, as it helps to find and address issues. However, they argued that not all developers do this, which can result in bugs going under the radar.
Many members of the community emphasize the significance of thorough code review and testing by asserting that it’s possible that this bug could have been discovered with a proper audit. In order to avoid such bugs going unnoticed, developers must give code review and testing top priority. The use of standardized auditing procedures can also raise the overall level of software development.
Since the tragic event, the value of the LVL token has drastically dropped. At the time of publication, the Level Finance token’s price on CoinMarketCap was $7.33, a decrease of 16.83% from the previous day.
There have been other instances of smart contract bugs leading to substantial losses before the Level Finance event. The necessity for better security measures and risk management procedures in the DeFi sector has been highlighted by a number of similar instances that have happened in recent years.