Decentralized exchange Level Finance suffered a security breach that allowed attackers to steal more than $1 million in the exchange's native Level Finance (LVL) token.
Level Finance notified its 20,000 Twitter followers that over 214,000 exchanges' LVL tokens have been evacuated and exchanged for 3,345 Binance Coins, valued at approximately $1.01 million. According to blockchain security firm Peckshield, Level Finance's “LevelReferralControllerV2” smart contract contained a bug that allowed “ duplicate referral statements” from the same time period. Level Finance confirmed this in a statement later on Discord.
Meanwhile, the v2 controller contract shows multiple calls to the “claim multiple” function in the past 48 hours, according to data from Binance Chain Explorer BSC Scan. At the time of writing, the execution of the contract appears to have been unchanged since the attack; however, Level Finance said it will deploy a new recommended contract implementation within the next 12 hours.
The exchange also noted that its liquidity pool and associated DAO remained unaffected by the attack. According to DeDotFiSecurity on Twitter, the team said it had "temporarily turned off the referral program," preventing the exploit. On Discord, Level Finance said the bug has been isolated from others and users of the exchange should "wait for a full post-mortem analysis."
