Level Finance Hacked for $1.1 Million in LVL Tokens

Summary

On May 1, 2023, Level Finance, a decentralized finance (DeFi) protocol, was hacked for $1.1 million in LVL tokens. The attacker exploited a vulnerability in the protocol’s Referral Controller Contract.

Attackers

The identity of the attacker is unknown.

BSC:

• 0x70319d1c09e1373fc7b10403c852909e5b20a9d5

Losses

The attacker stole 214,000 LVL tokens and swapped LVL to 3,345 BNB, which were worth approximately $1.1 million at the time of the hack.

Timeline

• April 24, 2023, 01:52:59 PM +UTC: First failed hack attempt
• May 1, 2023, 05:50:41 PM +UTC: First successful hack attempt
• May 1, 2023, 08:54 PM +UTC: The Level Finance team announced the hack on Twitter
• May 2, 2023: The DAO has released a proposal asking for votes on how the community should handle the 214K LVL tokens added to circulation by the attack.

Security Failure Causes

• Failed Precondition Checks: The Level Finance hack was made possible by failed precondition checks. In theory, the protocol is designed to allow a user to claim a referral reward once per epoch. However, the protocol lacked checks to ensure that an epoch is not being reused by a claim.